Skip to content
This repository has been archived by the owner on Jun 28, 2022. It is now read-only.

Fix WebSocket upgrade CSRF vulnerability #35

Merged
merged 1 commit into from Jul 30, 2020

Conversation

11k
Copy link
Contributor

@11k 11k commented Jul 14, 2020

For WebSocket upgrade requests, gorilla/websocket calls CheckOrigin to determine if the upgrade should be performed. The function should "carefully validate the request origin to prevent cross-site request forgery".

The current implementation immediately returns true, essentially performing no check. If undefined, a "safe default" is used, which only upgrades the request if the host component of the Origin header matches the Host header.

This PR removes the current implementation so the default is used.

If `CheckOrigin` is undefined, a "safe default" is used.
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

2 participants