akka/akka-http

Review potential cross-site security issue wrt Websocket

Open

#275 geöffnet am 12. Sept. 2016

Auf GitHub ansehen
 (7 Kommentare) (0 Reaktionen) (0 zugewiesene Personen)Scala (598 Forks)batch import
1 - triagedhelp wantedt:websocket

Repository-Metriken

Stars
 (1.311 Stars)
PR-Merge-Metriken
 (Durchschn. Merge 1T 10h) (2 gemergte PRs in 30 T)

Beschreibung

Issue by jrudolph Thursday Sep 24, 2015 at 09:05 GMT Originally opened as https://github.com/akka/akka/issues/18549


@fommil reminded me that browsers may not be strict enough in preventing cross-site scripting to prevent malicious sites from opening up websocket connections on the behalf of the browser user.

We need to check in which situations this can lead to problems and how to prevent insecure access (e.g. by changing the server-side Websocket API to force the developer to provide an Origin checker to accept incoming Websocket requests).

Contributor Guide