Skip to content

Commit

Permalink
Validate websocket origin (#2162)
Browse files Browse the repository at this point in the history
WebSockets can be initiated from any site on the internet and still have
the user’s cookies and session. This pull request restricts the sites
which are allowed to open sockets to the app.

See W-14666443
jstvz authored Mar 14, 2024

Verified

This commit was created on GitHub.com and signed with GitHub’s verified signature.
1 parent 4b19f82 commit 539d0f3
Showing 1 changed file with 5 additions and 1 deletion.
6 changes: 5 additions & 1 deletion metecho/routing.py
Original file line number Diff line number Diff line change
@@ -1,5 +1,6 @@
from channels.auth import AuthMiddlewareStack
from channels.routing import ProtocolTypeRouter, URLRouter
from channels.security.websocket import AllowedHostsOriginValidator
from django.core.asgi import get_asgi_application
from django.urls import path

@@ -17,5 +18,8 @@


application = ProtocolTypeRouter(
{"http": get_asgi_application(), "websocket": AuthMiddlewareStack(websockets)}
{
"http": get_asgi_application(),
"websocket": AllowedHostsOriginValidator(AuthMiddlewareStack(websockets)),
}
)

0 comments on commit 539d0f3

Please sign in to comment.