check origin header for websocket connection

webpack · Jul 24, 2018 · f18e5ad · f18e5ad · hackel · Nov 9, 2018
1 parent e1bd264
commit f18e5ad
Showing 1 changed file with 9 additions and 2 deletions.
diff --git a/lib/Server.js b/lib/Server.js
@@ -513,13 +513,15 @@ Server.prototype.setContentHeaders = function (req, res, next) {
   next();
 };
 
-Server.prototype.checkHost = function (headers) {
+Server.prototype.checkHost = function (headers, headerToCheck) {
   // allow user to opt-out this security check, at own risk
   if (this.disableHostCheck) return true;
 
+  if (!headerToCheck) headerToCheck = "host";
+
   // get the Host header and extract hostname
   // we don't care about port not matching
-  const hostHeader = headers.host;
+  const hostHeader = headers[headerToCheck];
   if (!hostHeader) return false;
 
   // use the node url-parser to retrieve the hostname from the host-header.
@@ -589,6 +591,11 @@ Server.prototype.listen = function (port, hostname, fn) {
         conn.close();
         return;
       }
+      if (!this.checkHost(conn.headers, "origin")) {
+        this.sockWrite([conn], 'error', 'Invalid Origin header');
+        conn.close();
+        return;
+      }
       this.sockets.push(conn);
 
       conn.on('close', () => {