fix: check origin header for websocket connection (#1603)

webpack · Dec 21, 2018 · b3217ca · b3217ca
1 parent 68dd49a
commit b3217ca
Showing 1 changed file with 6 additions and 4 deletions.
diff --git a/lib/Server.js b/lib/Server.js
@@ -630,14 +630,16 @@ Server.prototype.setContentHeaders = function (req, res, next) {
   next();
 };
 
-Server.prototype.checkHost = function (headers) {
+Server.prototype.checkHost = function (headers, headerToCheck) {
   // allow user to opt-out this security check, at own risk
   if (this.disableHostCheck) {
     return true;
   }
+
+  if (!headerToCheck) headerToCheck = 'host';
   // get the Host header and extract hostname
   // we don't care about port not matching
-  const hostHeader = headers.host;
+  const hostHeader = headers[headerToCheck];
 
   if (!hostHeader) {
     return false;
@@ -725,8 +727,8 @@ Server.prototype.listen = function (port, hostname, fn) {
         return;
       }
 
-      if (!this.checkHost(connection.headers)) {
-        this.sockWrite([ connection ], 'error', 'Invalid Host header');
+      if (!this.checkHost(connection.headers) || !this.checkHost(connection.headers, 'origin')) {
+        this.sockWrite([ connection ], 'error', 'Invalid Host/Origin header');
 
         connection.close();