You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository was archived by the owner on Apr 23, 2019. It is now read-only.
If someone sends an Origin header with the value localhost:90000 it will be valid even if this is not the same origin. I understand that the port 90000 doesn't exist at all, but imagine someone uses the following code (by simply modifying the code you provide):
returnorigin.contains("mydomain.com");
It is still possible to do Cross-Site WebSocket Hijacking by using (buying) the domain amydomain.com.
I think it would be preferable to use the equals or equalsIgnoreCase method.
Hi,
On line 106 of file HomeController : https://github.com/playframework/play-java-websocket-example/blob/2.6.x/app/controllers/HomeController.java#L106, you are checking origin like that:
If someone sends an Origin header with the value
localhost:90000it will be valid even if this is not the same origin. I understand that the port 90000 doesn't exist at all, but imagine someone uses the following code (by simply modifying the code you provide):It is still possible to do Cross-Site WebSocket Hijacking by using (buying) the domain amydomain.com.
I think it would be preferable to use the
equalsorequalsIgnoreCasemethod.