Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Origin header should not be sent by client in handshake #615

Open
glassfishrobot opened this issue May 18, 2017 · 5 comments
Open

Origin header should not be sent by client in handshake #615

glassfishrobot opened this issue May 18, 2017 · 5 comments

Comments

@glassfishrobot
Copy link

Tyrus client is sending an origin header in the upgrade request. The value of the header is the host part of the websocket URL with scheme "http://". This does not really make sense and would say it's in fact misleading. Non-browser clients do not operate in a context where origin matters IMHO. According to the spec, the origin header is optional.
The main reason for me reporting this issue is a problem I ran into with the Qlik Sense websocket based API which fails to handle the handshake with the Tyrus client due to the origin header value. I had to manually change the header value to get the handshake working.
@glassfishrobot
Copy link
Author

@pavelbucek Commented
And why is that Tyrus issue and not Qlik Sense issue?

@glassfishrobot
Copy link
Author

@peraxel Commented
Because it makes no sense to send an origin in non-browser scenarios like this and it causes more harm than good. Setting a fake origin like this may cause problems as we see in the Qlik Sense case. The Qlik Sense server knows the origin header is fake because it hasn't received any http/https requests from the source system prior to the WS handshake and therefore rightfully refuses to complete the handshake.

According to RFC 6455, section 4.1 (Opening Handshake, Client Requirements):
"Additionally, if the client is a web browser, it supplies /origin/."

The use of origin header is described in other parts of the RFC as well.

@glassfishrobot
Copy link
Author

@dmekhanikov
Copy link

I encountered a similar issue with a Spring WebSocket server and Tyrus client. Tyrus sends an URL with http:// specified as origin scheme in an upgrade request, while the connection is actually established over https. Spring makes this request fail unless you tweak allowed origins.
I suggest removing this header from handshake requests or making the origin depend on whether a WSS or WS connection is being initiated.

@dadza
Copy link

dadza commented Mar 12, 2023

Sending the Origin header results in Chromium 111 responding with 403 to DevTools Protocol requests (via https://github.com/kklisura/chrome-devtools-java-client) unless the origin is included with --remote-allow-origins=..

See https://bugs.chromium.org/p/chromium/issues/detail?id=1422444

That bug talks about Selenium with Netty4, which has the same problem. Netty5 no longer sets the Origin header (by default at least), see netty/netty#9673

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@dmekhanikov @glassfishrobot @dadza