The websocket cross site vulnerability check implemented in
ZEPPELIN-173 has been broken by the ZEPPELIN-798 (migrate to jetty9). The checkOrigin has no longer an overridden method, so it won't be called.
The second one doesn't contain the checkOrigin.
A trivial fix is to call the existing check from the WebsocketCreator.