roysc/plugeth
1
0
Fork 0
forked from cerc-io/plugeth
Code Pull Requests Activity

rpc: skip websocket origin check if there is no origin header

Browse Source
This commit is contained in:
Felix Lange 2019-02-19 11:49:43 +01:00
parent c283d9b5e8
commit 26d3a8ca80
1 changed files with 7 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
rpc/websocket.go
View File

@ -124,6 +124,13 @@ func wsHandshakeValidator(allowedOrigins []string) func(*websocket.Config, *http
log.Debug(fmt.Sprintf("Allowed origin(s) for WS RPC interface %v", origins.ToSlice())) log.Debug(fmt.Sprintf("Allowed origin(s) for WS RPC interface %v", origins.ToSlice()))
f := func(cfg *websocket.Config, req *http.Request) error { f := func(cfg *websocket.Config, req *http.Request) error {
// Skip origin verification if no Origin header is present. The origin check
// is supposed to protect against browser based attacks. Browsers always set
// Origin. Non-browser software can put anything in origin and checking it doesn't
// provide additional security.
if _, ok := req.Header["Origin"]; !ok {
return
}
// Verify origin against whitelist. // Verify origin against whitelist.
origin := strings.ToLower(req.Header.Get("Origin")) origin := strings.ToLower(req.Header.Get("Origin"))
if allowAllOrigins || origins.Contains(origin) { if allowAllOrigins || origins.Contains(origin) {