Details
-
Improvement
-
Status: Resolved
-
Major
-
Resolution: Fixed
-
7.0.0-M5
-
None
-
Jetty 9.0.x
Description
I am opening this issue according to our short discussion with mgrigorov on the users' mailing list:
http://www.mail-archive.com/users@wicket.apache.org/msg86479.html
Basically when somebody using a WebSocketBehavior then the application is prone to Cross-Site hijacking.
The WebSocketBehavior onConnect() method is not receiving the request headers so it's hard to make proper protection there. So we need a workaround for this.
One workaround might be modifying the AbstractWebSocketProcessor.
I made a quick modification here:
https://github.com/Fogetti/wicket/commit/f2f83b14371f518fff71a7b18d6f292df8de0221
I am usually very bad at naming, so the class/interface names should be definitely changed.
Other than that, I also quickly read how to compare origins:
https://tools.ietf.org/html/rfc6454#page-11
And how to respond to this issue (send 403 forbidden and abort the handshake):
https://tools.ietf.org/html/rfc6455#section-4.2.2
But I don't know how to do these things in the processor. 