Validate /websocket requests from browser dialer page #3295
Conversation
|
多加个环境变量不优雅,改为可以自定义 path 吧,比如这样 顺便把现在的基于
|
this requires the user to choose a secret path. I was trying to make the default invocation (the value copypasted from docs) safe by default. what do you think about sending a csrf token through the webpage, and sending it back from the browser when opening |
可以,Xray 启动时生成一个随机值就行 |
| if conn, err := upgrader.Upgrade(w, r, nil); err == nil { | ||
| conns <- conn | ||
| } else { | ||
| newError("Browser dialer http upgrade unexpected error").AtError().WriteToLog() | ||
| } | ||
| } else { | ||
| w.Write(webpage) | ||
| w.Write([]byte("<script>\ncsrfToken = \"")) |
There was a problem hiding this comment.
it is a bit hard to read, but I did not like the idea of using cookies or a templating engine
not entirely sure I understand the translation, but my concern is not local applications, but rather webpages, who cannot read environment variables anyway |
mmmray
changed the title
|
This PR is "ready" |
写复杂了 我改一下 |
* xtls/main: README: Remove iamybj/docker-xray Revert "Makefile: export GOARCH, GOOS" v1.8.11 Validate /websocket requests from browser dialer page (XTLS#3295) Revert "nosni" Bump github.com/cloudflare/circl from 1.3.7 to 1.3.8
Fix #3236
Validate the origin of inbound websocket requests by default.
If the user wants to change origin validation, they can set
XRAY_BROWSER_DIALER_ORIGIN=http://custom.localhost.net:3000The current implementation is very inconvenient, because the origin is validated very strictly. If
XRAY_BROWSER_DIALER=http://127.0.0.1:3000, then the user has to visit127.0.0.1, notlocalhost. Is there a function to normalize this difference? Should xray perform DNS requests to normalize host names (I think this could open more attack vectors, using DNS rebinding)