I am opening this issue according to our short discussion with Martin Grigorov on the users' mailing list:
Basically when somebody using a WebSocketBehavior then the application is prone to Cross-Site hijacking.
The WebSocketBehavior onConnect() method is not receiving the request headers so it's hard to make proper protection there. So we need a workaround for this.
One workaround might be modifying the AbstractWebSocketProcessor.
I made a quick modification here:
I am usually very bad at naming, so the class/interface names should be definitely changed.
Other than that, I also quickly read how to compare origins:
And how to respond to this issue (send 403 forbidden and abort the handshake):
But I don't know how to do these things in the processor.