Skip to content

Cross-Site Websocket Hijacking Protection #112

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
ghost wants to merge 5 commits into from
Closed

Cross-Site Websocket Hijacking Protection #112

ghost wants to merge 5 commits into from

Conversation

@ghost
Copy link

@ghost ghost commented Mar 20, 2015

This pull request is to replace my previous attempt:
#110

Now I rebased my changes in my feature branch to master.

This pull request introduces a few new things in wicket-native-websocket-core. The basic idea is to prevent hijacking the websocket connections when the request arrives from an invalid origin. The valid origin domains can be configured by the new websocketsettings or can be completely turned off if protection is not necessary.

New classes:

ConnectionRejectedException
IWebSocketConnectionFilter
WebSocketConnectionOriginFilter
WebSocketAbortedPayload
AbortedMessage
WebSocketTesterProcessorTest

New websocket settings:

isHijackingProtectionEnabled
getAllowedDomains

And finally new methods on WebSocketBehavior and WebSocketResource:

onAbort()

The easiest way to understand what's going on is to run the test class:

WebSocketTesterProcessorTest

admin added 5 commits March 20, 2015 10:48
Cross-Site WebSocket Hijacking protection added
91240a4
WebsocketSettings extended with allowedDomains
0495c09
Hijacking protection flag added to websocket settings
f687147
WebSocketBehavior and WebSocketResource got new methods called
dd6fb1a 
onAbort(). New broadcast message type: AbortedMessage introduced. New
payload type: WebSocketAbortedPayload introduced.
AbstractWebSocketProcessor closes connection when protection check
fails.
WebSocketTesterProcessorTest fixed and cleaned up
c9d1b22
@martin-g
Copy link
Member

martin-g commented Mar 20, 2015

I'm afraid the PR cannot be used.
Your formatting style caused complete rewrite of the touched files and the meaningful changes are lost in the noise

@ghost
Copy link
Author

ghost commented Mar 20, 2015

No problem! I will reapply them without formatting then! :)

@ghost ghost closed this Mar 20, 2015
@ghost ghost mentioned this pull request Mar 20, 2015
Closed
This pull request was closed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@martin-g