Skip to content

Origin check should not only be a check against the host #529

New issue
New issue
Open
Open
Origin check should not only be a check against the host#529
@timofurrer

Description

@timofurrer
timofurrer
opened on Apr 28, 2025

The package supports to automatically perform an Origin header check via OriginPatterns. However, these origin patterns are only checked against the Origin header Host component (see

websocket/accept.go

Line 244 in efb626b

matched, err := match(hostPattern, u.Host)
).

I believe that this is incorrect and the entire Origin header should be checked against a set of allowed once - that is, including the schema and port.

Activity

sc0Vu

sc0Vu commented on Jun 9, 2025

@sc0Vu
sc0Vu
on Jun 9, 2025

@timofurrer It seems Host contains host and port https://pkg.go.dev/net/url#URL, but I think they may miss schema here. Based on this spec https://datatracker.ietf.org/doc/html/rfc6454#section-3.2, the schema is required.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions
      Origin check should not only be a check against the host · Issue #529 · coder/websocket