Allow websocket connection originates from earlier accepted hostnames

2019-08-28 01:32:02 +02:00 · 2019-08-28 01:32:02 +02:00 · 27a67d9753
commit 27a67d9753
parent 67b78ca12d
2 changed files with 7 additions and 2 deletions
--- a/src/Ui/UiRequest.py
+++ b/src/Ui/UiRequest.py
@ -416,6 +416,9 @@ class UiRequest(object):
            file_url = "/" + address + "/" + inner_path
            root_url = "/" + address + "/"

+        if self.isProxyRequest():
+            self.server.allowed_ws_origins.add(self.env["HTTP_HOST"])
+
        # Wrapper variable inits
        body_style = ""
        meta_tags = ""
@ -715,9 +718,10 @@ class UiRequest(object):
            # Allow only same-origin websocket requests
            origin = self.env.get("HTTP_ORIGIN")
            host = self.env.get("HTTP_HOST")
-            if origin and host:
+            # Allow only same-origin websocket requests
+            if origin:
                origin_host = origin.split("://", 1)[-1]
-                if host != origin_host:
+                if origin_host != host and origin_host not in self.server.allowed_ws_origins:
                    ws.send(json.dumps({"error": "Invalid origin: %s" % origin}))
                    return self.error403("Invalid origin: %s" % origin)

--- a/src/Ui/UiServer.py
+++ b/src/Ui/UiServer.py
@ -75,6 +75,7 @@ class UiServer:
        else:
            self.allowed_hosts = set([])
        self.allow_trans_proxy = config.ui_trans_proxy
+        self.allowed_ws_origins = set()

        self.wrapper_nonces = []
        self.add_nonces = []