Websockets broken for some clients in v2.2.0 #1711
Closed
Comments
kingosticks
added a commit
to kingosticks/mopidy
that referenced
this issue
Oct 8, 2018
check_origin() still ensures the Origin header is set but now only blocks when missing from the allowed list *if* a network location was extracted from the header. This prevents websocket connections originating from local files (common in Apache Cordova apps such as Mopidy-Mobile) from being blocked; these files don't really have a sensible value for Origin so the client browser sets the header to something like 'file://' or 'null'. Also added some tests for check_origin().
kingosticks
added a commit
to kingosticks/mopidy
that referenced
this issue
Oct 8, 2018
check_origin() still ensures the Origin header is set but now only blocks when missing from the allowed list *if* a network location was extracted from the header. This prevents websocket connections originating from local files (common in Apache Cordova apps such as Mopidy-Mobile) from being blocked; these files don't really have a sensible value for Origin so the client browser sets the header to something like 'file://' or 'null'. Also added some tests for check_origin().
kingosticks
added a commit
to kingosticks/mopidy
that referenced
this issue
Oct 8, 2018
check_origin() still ensures the Origin header is set but now only blocks when missing from the allowed list *if* a network location was extracted from the header. This prevents websocket connections originating from local files (common in Apache Cordova apps such as Mopidy-Mobile) from being blocked; these files don't really have a sensible value for Origin so the client browser sets the header to something like 'file://' or 'null'. Also added some tests for check_origin().
kingosticks
added a commit
to kingosticks/mopidy
that referenced
this issue
Oct 8, 2018
check_origin() still ensures the Origin header is set but now only blocks when missing from the allowed list *if* a network location was extracted from the header. This prevents websocket connections originating from local files (common in Apache Cordova apps such as Mopidy-Mobile) from being blocked; these files don't really have a sensible value for Origin so the client browser sets the header to something like 'file://' or 'null'. Also added some tests for check_origin().
jodal
added a commit
that referenced
this issue
Oct 8, 2018
http: allow local files to access websocket (Fixes #1711)
Fixed by #1712. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Clients that use websocket connections from local files, such as those use in Apache Cordova apps like Mopidy-Mobile, do not work in Mopidy v.2.2.0. Reported here.
This is because the Origin header for requests from local files may be set to something like 'file://' or 'null', depending on the browser. The current
check_origin()
implementation (silently) blocks these requests. To reproduce, create a file contain the following called blocked.html and open it in your web browser by navigating to it's file URI e.g. file:///home/fred/blocked.html.Origin: file://
Origin: null
This was introduced by #1668
The text was updated successfully, but these errors were encountered: