Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Protect WebSocket endpoints from untrusted origin requests #134

Merged
merged 1 commit into from
Apr 22, 2024

Conversation

knuton
Copy link
Member

@knuton knuton commented Apr 20, 2024

We previously added support for adding Private Network Access and CORS headers only for a whitelist of permissible origins. This protects browser users running the driver locally against abuse from third-party websites, which could make HTTP requests to the driver at the loopback address.

This commit extends this protection to WebSocket endpoints, for which browsers do not currently perform pre-flight requests. We therefore explicitly deny all requests from unknown origins.

This change prepares for the driver gaining the capability of triggering firmware updates in connected devices (#127).

Checklist

  • Changelog updated
  • Code documented

We previously added support for adding Private Network Access and CORS
headers only for a whitelist of permissible origins. This protects
browser users running the driver locally against abuse from third-party
websites, which could make HTTP requests to the driver at the loopback
address.

This commit extends this protection to WebSocket endpoints, for which
browsers do not currently perform pre-flight requests. We therefore
explicitly deny all requests from unknown origins.

This change prepares for the driver gaining the capability of triggering
firmware updates in connected devices.
@knuton knuton added the reviewable Ready for initial or iterative review. label Apr 20, 2024
@knuton knuton requested a review from krksgbr April 20, 2024 12:28
Copy link
Contributor

@krksgbr krksgbr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It looks good and works as expected.

How I tested:

  • I ran the tests with a build from main and the unknown origin tests failed, as expected.
  • I also tested in the browser with the driver started with ./bin/dividat-driver --permissible-origin "http://orig.in" and all requests were rejected, as expected.
  • When the driver is started with no arguments, connections continue to work as before.

@krksgbr krksgbr merged commit 8562e58 into dividat:main Apr 22, 2024
1 check passed
@krksgbr krksgbr removed the reviewable Ready for initial or iterative review. label Apr 22, 2024
@knuton knuton deleted the block-untrusted-origins branch April 22, 2024 12:37
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants