#2471 closed task (wontfix)
review websockets layer security
| Reported by: | Antoine Martin | Owned by: | Antoine Martin |
|---|---|---|---|
| Priority: | minor | Milestone: | 4.1 |
| Component: | network | Version: | 3.0.x |
| Keywords: | Cc: |
Description
What’s wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs
Takeaways:
- check origin?
- Cross-site WebSocket hijacking
Others?
Change History (3)
comment:1 Changed 12 months ago by
| Milestone: | 4.0 → 4.1 |
|---|---|
| Status: | new → assigned |
comment:2 Changed 5 months ago by
| Resolution: | → wontfix |
|---|---|
| Status: | assigned → closed |
comment:3 Changed 6 weeks ago by
this ticket has been moved to: https://github.com/Xpra-org/xpra/issues/2471
Note: See
TracTickets for help on using
tickets.
copyleft 2010 - 2021
The origin header is trivial to modify, so not worth checking.
The rest doesn't apply to us: we handle the websocket layer directly so it can't be misused to access other services, we have our own authentication modules already, and tighter restrictions can be added using firewall / proxies..