Skip to content

Commit

Permalink
Validate websocket origin (#2162)
Browse files Browse the repository at this point in the history
WebSockets can be initiated from any site on the internet and still have
the user’s cookies and session. This pull request restricts the sites
which are allowed to open sockets to the app.

See W-14666443
  • Loading branch information
jstvz authored Mar 14, 2024
1 parent 4b19f82 commit 539d0f3
Showing 1 changed file with 5 additions and 1 deletion.
6 changes: 5 additions & 1 deletion metecho/routing.py
Original file line number Diff line number Diff line change
@@ -1,5 +1,6 @@
from channels.auth import AuthMiddlewareStack
from channels.routing import ProtocolTypeRouter, URLRouter
from channels.security.websocket import AllowedHostsOriginValidator
from django.core.asgi import get_asgi_application
from django.urls import path

Expand All @@ -17,5 +18,8 @@


application = ProtocolTypeRouter(
{"http": get_asgi_application(), "websocket": AuthMiddlewareStack(websockets)}
{
"http": get_asgi_application(),
"websocket": AllowedHostsOriginValidator(AuthMiddlewareStack(websockets)),
}
)

0 comments on commit 539d0f3

Please sign in to comment.