rpc: skip websocket origin check if there is no origin header
This commit is contained in:
parent
c283d9b5e8
commit
26d3a8ca80
@ -124,6 +124,13 @@ func wsHandshakeValidator(allowedOrigins []string) func(*websocket.Config, *http
|
|||||||
log.Debug(fmt.Sprintf("Allowed origin(s) for WS RPC interface %v", origins.ToSlice()))
|
log.Debug(fmt.Sprintf("Allowed origin(s) for WS RPC interface %v", origins.ToSlice()))
|
||||||
|
|
||||||
f := func(cfg *websocket.Config, req *http.Request) error {
|
f := func(cfg *websocket.Config, req *http.Request) error {
|
||||||
|
// Skip origin verification if no Origin header is present. The origin check
|
||||||
|
// is supposed to protect against browser based attacks. Browsers always set
|
||||||
|
// Origin. Non-browser software can put anything in origin and checking it doesn't
|
||||||
|
// provide additional security.
|
||||||
|
if _, ok := req.Header["Origin"]; !ok {
|
||||||
|
return
|
||||||
|
}
|
||||||
// Verify origin against whitelist.
|
// Verify origin against whitelist.
|
||||||
origin := strings.ToLower(req.Header.Get("Origin"))
|
origin := strings.ToLower(req.Header.Get("Origin"))
|
||||||
if allowAllOrigins || origins.Contains(origin) {
|
if allowAllOrigins || origins.Contains(origin) {
|
||||||
|
Loading…
Reference in New Issue
Block a user