Skip to content

/ mopidy

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Websockets broken for some clients in v2.2.0 #1711

Closed
kingosticks opened this issue Oct 8, 2018 · 1 comment
Closed

Websockets broken for some clients in v2.2.0 #1711

kingosticks opened this issue Oct 8, 2018 · 1 comment
Assignees
@kingosticks
Labels
A-http C-bug
Milestone
v2.2.1

Comments

@kingosticks
Copy link
Member

@kingosticks kingosticks commented Oct 8, 2018
edited

Clients that use websocket connections from local files, such as those use in Apache Cordova apps like Mopidy-Mobile, do not work in Mopidy v.2.2.0. Reported here.

This is because the Origin header for requests from local files may be set to something like 'file://' or 'null', depending on the browser. The current check_origin() implementation (silently) blocks these requests. To reproduce, create a file contain the following called blocked.html and open it in your web browser by navigating to it's file URI e.g. file:///home/fred/blocked.html.

<script src="http://localhost:6680/mopidy/mopidy.js"></script>
<script>
  var mopidy = new Mopidy({
    webSocketUrl: "ws://localhost:6680/mopidy/ws/"
  });
  mopidy.connect();
</script>
  • Chrome sends Origin: file://
  • Firefox sends Origin: null

This was introduced by #1668
@kingosticks kingosticks self-assigned this Oct 8, 2018
kingosticks added a commit to kingosticks/mopidy that referenced this issue Oct 8, 2018
@kingosticks
http: allow local files to access websocket (Fixes mopidy#1711)
be416a6 
check_origin() still ensures the Origin header is set but now only blocks
when missing from the allowed list *if* a network location was extracted
from the header. This prevents websocket connections originating from
local files (common in Apache Cordova apps such as Mopidy-Mobile) from
being blocked; these files don't really have a sensible value for Origin
so the client browser sets the header to something like 'file://' or
'null'.

Also added some tests for check_origin().
@jodal jodal added this to the v2.2.1 milestone Oct 8, 2018
kingosticks added a commit to kingosticks/mopidy that referenced this issue Oct 8, 2018
@kingosticks
http: allow local files to access websocket (Fixes mopidy#1711)
0dcebdb 
check_origin() still ensures the Origin header is set but now only blocks
when missing from the allowed list *if* a network location was extracted
from the header. This prevents websocket connections originating from
local files (common in Apache Cordova apps such as Mopidy-Mobile) from
being blocked; these files don't really have a sensible value for Origin
so the client browser sets the header to something like 'file://' or
'null'.

Also added some tests for check_origin().
kingosticks added a commit to kingosticks/mopidy that referenced this issue Oct 8, 2018
@kingosticks
http: allow local files to access websocket (Fixes mopidy#1711)
f89d347 
check_origin() still ensures the Origin header is set but now only blocks
when missing from the allowed list *if* a network location was extracted
from the header. This prevents websocket connections originating from
local files (common in Apache Cordova apps such as Mopidy-Mobile) from
being blocked; these files don't really have a sensible value for Origin
so the client browser sets the header to something like 'file://' or
'null'.

Also added some tests for check_origin().
kingosticks added a commit to kingosticks/mopidy that referenced this issue Oct 8, 2018
@kingosticks
http: allow local files to access websocket (Fixes mopidy#1711)
6e9ed9e 
check_origin() still ensures the Origin header is set but now only blocks
when missing from the allowed list *if* a network location was extracted
from the header. This prevents websocket connections originating from
local files (common in Apache Cordova apps such as Mopidy-Mobile) from
being blocked; these files don't really have a sensible value for Origin
so the client browser sets the header to something like 'file://' or
'null'.

Also added some tests for check_origin().
jodal added a commit that referenced this issue Oct 8, 2018
@jodal
Merge pull request #1712 from kingosticks/fix/cors-breaking-changes
Verified
This commit was created on GitHub.com and signed with a verified signature using GitHub’s key.
GPG key ID: 4AEE18F83AFDEB23 Learn about signing commits
Loading status checks…
9f7b347 
http: allow local files to access websocket (Fixes #1711)
@jodal
Copy link
Member

@jodal jodal commented Oct 8, 2018

Fixed by #1712.
@jodal jodal closed this Oct 8, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@kingosticks kingosticks

Labels
A-http C-bug
Projects
None yet
Milestone
v2.2.1
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
2 participants
@jodal @kingosticks