WebSocket Origin Restriction #9447
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
BrennanConroy
commented
Nov 5, 2018
| }); | ||
| ``` | ||
|
|
||
| This helps ensure that browser users are using a trusted client and not a malicious one from a different site. |
There was a problem hiding this comment.
Review: Should we keep this or remove it?
There was a problem hiding this comment.
Remove from here, but consider working it into the section intro.
BrennanConroy
changed the title
tdykstra
approved these changes
Nov 5, 2018
| The following settings can be configured: | ||
|
|
||
| * `KeepAliveInterval` - How frequently to send "ping" frames to the client to ensure proxies keep the connection open. | ||
| * `ReceiveBufferSize` - The size of the buffer used to receive data. Advanced users may need to change this for performance tuning based on the size of the data. | ||
| * `AllowedOrigins` - List of the Origin header values allowed for WebSocket requests to prevent Cross-Site WebSocket Hijacking. By default all Origins are allowed. |
There was a problem hiding this comment.
Lowercase Cross-Site and Hijacking
| }); | ||
| ``` | ||
|
|
||
| This helps ensure that browser users are using a trusted client and not a malicious one from a different site. |
There was a problem hiding this comment.
Remove from here, but consider working it into the section intro.
| ```c# | ||
| app.UseWebSockets(new WebSocketOptions() | ||
| { | ||
| AllowedOrigins.Add("https://client.com"); |
There was a problem hiding this comment.
what's the delimiter for multiple origins?
There was a problem hiding this comment.
It's a list so you can call .Add() for as many origins as you want
There was a problem hiding this comment.
Show multiple origins (like https://client.com and https://www.client.com) to illustrate that
aspnetcore/signalr/security.md
Outdated
| @@ -39,6 +39,14 @@ For example, the following CORS policy allows a SignalR browser client hosted on | |||
|
|
|||
| ## WebSocket Origin Restriction | |||
|
|
|||
| ::: moniker range=">= aspnetcore-2.2" | |||
|
|
|||
| The protections provided by CORS don't apply to WebSockets. For origin restriction on WebSockets read [WebSockets Origin Restriction](xref:fundamentals/websockets#websocket-origin-restriction). | |||
There was a problem hiding this comment.
Lowercase origin restriction
| @@ -123,6 +137,33 @@ The code shown earlier that accepts the WebSocket request passes the `WebSocket` | |||
|
|
|||
| When accepting the WebSocket connection before beginning the loop, the middleware pipeline ends. Upon closing the socket, the pipeline unwinds. That is, the request stops moving forward in the pipeline when the WebSocket is accepted. When the loop is finished and the socket is closed, the request proceeds back up the pipeline. | |||
|
|
|||
| ::: moniker range=">= aspnetcore-2.2" | |||
|
|
|||
| ### WebSocket Origin Restriction | |||
There was a problem hiding this comment.
Lowercase origin restriction
sentence case headings; lowercase "origin" except when it refers specifically to "Origin" as the name of a header.
| This helps ensure that browser users are using a trusted client and not a malicious one from a different site. | ||
|
|
||
| > [!NOTE] | ||
| > The `Origin` header is controlled by the client and, like the `Referer` header, can be faked. These headers should **not** be used as an authentication mechanism. |
There was a problem hiding this comment.
Or more directly
Do not use these headers as an authentication mechanism.
Could also make that sentence first to make it stand out more.
|
@tdykstra FYI there are unrelated warnings in the publishing check |
|
@BrennanConroy Thanks, we're aware of them and are looking into it. |
halter73
reviewed
Nov 5, 2018
| The following settings can be configured: | ||
|
|
||
| * `KeepAliveInterval` - How frequently to send "ping" frames to the client to ensure proxies keep the connection open. | ||
| * `ReceiveBufferSize` - The size of the buffer used to receive data. Advanced users may need to change this for performance tuning based on the size of the data. |
halter73
reviewed
Nov 5, 2018
|
|
||
| * `KeepAliveInterval` - How frequently to send "ping" frames to the client to ensure proxies keep the connection open. The default is two minutes. | ||
| * `ReceiveBufferSize` - The size of the buffer used to receive data. Advanced users may need to change this for performance tuning based on the size of the data. The default is 4kb. | ||
| * `AllowedOrigins` - List of the Origin header values allowed for WebSocket requests to prevent cross-site WebSocket hijacking. By default all Origins are allowed. |
There was a problem hiding this comment.
Nit: Uppercase O in "Origin header" seems right, but it should probably be lowercase for "By default, all origins are allowed."
halter73
approved these changes
Nov 5, 2018
halter73
reviewed
Nov 5, 2018
Co-Authored-By: BrennanConroy <brecon@microsoft.com>
scottaddie
reviewed
Nov 5, 2018
| * `KeepAliveInterval` - How frequently to send "ping" frames to the client to ensure proxies keep the connection open. | ||
| * `ReceiveBufferSize` - The size of the buffer used to receive data. Advanced users may need to change this for performance tuning based on the size of the data. | ||
| * `KeepAliveInterval` - How frequently to send "ping" frames to the client to ensure proxies keep the connection open. The default is two minutes. | ||
| * `ReceiveBufferSize` - The size of the buffer used to receive data. Advanced users may need to change this for performance tuning based on the size of the data. The default is 4kb. |
There was a problem hiding this comment.
- kb --> KB
- Add space between 4 and KB
| The following settings can be configured: | ||
|
|
||
| * `KeepAliveInterval` - How frequently to send "ping" frames to the client to ensure proxies keep the connection open. The default is two minutes. | ||
| * `ReceiveBufferSize` - The size of the buffer used to receive data. Advanced users may need to change this for performance tuning based on the size of the data. The default is 4kb. |
There was a problem hiding this comment.
- kb --> KB
- Add space between 4 and KB
|
|
||
| * `KeepAliveInterval` - How frequently to send "ping" frames to the client to ensure proxies keep the connection open. The default is two minutes. | ||
| * `ReceiveBufferSize` - The size of the buffer used to receive data. Advanced users may need to change this for performance tuning based on the size of the data. The default is 4kb. | ||
| * `AllowedOrigins` - List of the Origin header values allowed for WebSocket requests to prevent cross-site WebSocket hijacking. By default, all origins are allowed. |
There was a problem hiding this comment.
Suggested change
| * `AllowedOrigins` - List of the Origin header values allowed for WebSocket requests to prevent cross-site WebSocket hijacking. By default, all origins are allowed. | |
| * `AllowedOrigins` - List of the Origin header values allowed for WebSocket requests to prevent cross-site WebSocket hijacking. By default, all origins are allowed. |
aspnetcore/signalr/security.md
Outdated
| @@ -39,6 +39,14 @@ For example, the following CORS policy allows a SignalR browser client hosted on | |||
|
|
|||
| ## WebSocket Origin Restriction | |||
|
|
|||
| ::: moniker range=">= aspnetcore-2.2" | |||
|
|
|||
| The protections provided by CORS don't apply to WebSockets. For origin restriction on WebSockets read [WebSockets origin restriction](xref:fundamentals/websockets#websocket-origin-restriction). | |||
There was a problem hiding this comment.
Add a comma after "For origin restrictions on WebSockets".
analogrelay
approved these changes
Nov 6, 2018
| ```c# | ||
| app.UseWebSockets(new WebSocketOptions() | ||
| { | ||
| AllowedOrigins.Add("https://client.com"); |
There was a problem hiding this comment.
Show multiple origins (like https://client.com and https://www.client.com) to illustrate that
Co-Authored-By: BrennanConroy <brecon@microsoft.com>
scottaddie
reviewed
Nov 6, 2018
|
|
||
| However, browsers do send the `Origin` header when issuing WebSocket requests. Applications should be configured to validate these headers to ensure that only WebSockets coming from the expected origins are allowed. | ||
|
|
||
| If you are hosting your server on "https://server.com" and hosting your client on "https://client.com", add "https://client.com" to the `AllowedOrigins` list for WebSockets to verify. |
Co-Authored-By: BrennanConroy <brecon@microsoft.com>
scottaddie
approved these changes
Nov 6, 2018
|
Thank you for your help, @BrennanConroy! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Fixes #9363
Internal Review Link
There are some moniker ranges, so switch the versions to verify they're working