Skip to content

Improve Origin header handing for WebSockets #1448

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
AchimKlotz opened this issue Aug 3, 2017 · 7 comments
Closed

Improve Origin header handing for WebSockets #1448

AchimKlotz opened this issue Aug 3, 2017 · 7 comments
Assignees
@slandelle
Labels
Enhancement
Milestone
2.0.34

Comments

@AchimKlotz
Copy link

In the NettyRequestFactory the origin header is calculated this way:
.set(ORIGIN, "http://" + uri.getHost() + ":" + uri.getExplicitPort())//

this is wrong for secure wss websocket request, if you for example have an request to
wss://yourdomain.com the origin header will be http://yourdomain.com:443

The correct header should be calculated like this:
String origin = (uri.getScheme().equals("wss") ? "https" : "http" ) +"://"+uri.getHost() +(uri.getExplicitPort() != 80 && uri.getExplicitPort() != 443 ? uri.getExplicitPort() : "");
@slandelle
Copy link
Contributor

I've just check with Chrome on http://websocket.org/ and Origin header is really http://websocket.org when connection over wss.

capture d ecran 2017-08-03 a 13 44 51

@AchimKlotz
Copy link
Author

but not if you call https://websocket.org/echo.html
then the origin header is https://websocket.org.
I've got the problem that a server is only reachable by https and wss and the websocket connection is rejected if the origin header is not set correctly. With Chrome this is working fine on that server
Please see also a related netty issue which has been fixed about a year ago: netty/netty#5402
selection_157

@slandelle slandelle reopened this Aug 3, 2017
@slandelle
Copy link
Contributor

Oh my, you're right.
So browsers use the web page for Origin o_0.

But then, as you can see, your suggestion doesn't work either: you jump can't build the Origin header from the ws(s) url as it could be a different domain (here, WebSocket domain is "echo.websocket.org" while Origin header targets "websocket.org").

The best solution would be to honor existing "Origin" header.
Then, if it's undefined, it might indeed be a good idea to use https for wss.

WDYT?

@AchimKlotz
Copy link
Author

I think that's a sensible solution: If the "Origin" header is passed use that one, otherwise construct it like in my suggested solution.
According to the specification https://tools.ietf.org/html/rfc6454#section-6.1 the port should be omitted if it is the standard port for the protocol:
5. If the port part of the origin triple is different from the default port for the protocol given by the scheme part of the origin triple:

@slandelle
Copy link
Contributor

slandelle commented Aug 4, 2017
edited
Loading

According to the specification https://tools.ietf.org/html/rfc6454#section-6.1 the port should be omitted if it is the standard port for the protocol

Yes, I noticed that too but didn't have time yesterday for logging the issue. This is a separate issue.

Would you mind providing your PR, please?

Also, you should be using Uri.isSecured instead of testing the scheme manually.

@slandelle slandelle added this to the 2.0.34 milestone Aug 4, 2017
@slandelle slandelle changed the title Error generating Origin header for secure websocket update request Improve Origin header handing for WebSockets Aug 4, 2017
@AchimKlotz
Copy link
Author

String origin =request.getHeaders().get(ORIGIN) != null ? request.getHeaders().get(ORIGIN) : (uri.isSecured() ? "https" : "http" ) +"://"+uri.getHost() + ((uri.getExplicitPort() != 80 && !uri.isSecured()) || (uri.getExplicitPort() != 443 && uri.isSecured()) ? uri.getExplicitPort() : "");
also attached as git diff to version 2.0.33

header.txt

@slandelle
Copy link
Contributor

Never used Git, huh? ;-)

slandelle added a commit that referenced this issue Aug 4, 2017
@slandelle
Honor existing Origin header when using WebSockets, otherwise use sec…
4e49e69 
…… …ured scheme for wss, close #1448

Motivation:

When performing initial WebSocket HTTP request, we force Origin header.

This is wrong, as Origin might use a different domain than WebSocket
url.
Also, when computing default Origin, it would make sense to use a
secure scheme when using secured sockets.

Modifications:
* Don’t override existing Origin header
* Use https for wss

Result:
It’s now possible to set Origin on a different domain. Better default
@slandelle slandelle self-assigned this Aug 4, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@slandelle slandelle

Labels
Enhancement
Projects
None yet
Milestone
2.0.34
Development

No branches or pull requests
2 participants
@slandelle @AchimKlotz