Xpra: Ticket #2471: review websockets layer security

What’s wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs

Takeaways:

check origin?
Cross-site WebSocket hijacking

Others?

Thu, 05 Mar 2020 10:42:06 GMT - Antoine Martin: status, milestone changed

status changed from new to assigned
milestone changed from 4.0 to 4.1

Sat, 17 Oct 2020 16:59:48 GMT - Antoine Martin: status changed; resolution set

status changed from assigned to closed
resolution set to wontfix

The origin header is trivial to modify, so not worth checking.

The rest doesn't apply to us: we handle the websocket layer directly so it can't be misused to access other services, we have our own authentication modules already, and tighter restrictions can be added using firewall / proxies..

Sat, 23 Jan 2021 05:52:10 GMT - migration script:

this ticket has been moved to: https://github.com/Xpra-org/xpra/issues/2471