Skip to content

Deny unmasked frame receive for WebSocket Server #123485

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
liveans merged 2 commits into from
Jan 22, 2026
Merged

Deny unmasked frame receive for WebSocket Server #123485

liveans merged 2 commits into from
Jan 22, 2026
+22 −0

Conversation

@liveans
Copy link
Member

@liveans liveans commented Jan 22, 2026

Increasing RFC-compliance for WebSocket

@liveans liveans requested review from a team and Copilot January 22, 2026 10:27
@dotnet-policy-service
Copy link
Contributor

dotnet-policy-service bot commented Jan 22, 2026

Tagging subscribers to this area: @karelz, @dotnet/ncl
See info in area-owners.md if you want to be subscribed.

Copilot AI reviewed Jan 22, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This pull request enhances RFC 6455 compliance for WebSocket servers by adding validation to reject unmasked frames from clients. According to the RFC, clients must mask all frames sent to servers, and servers should reject unmasked frames.

Changes:

  • Added validation logic to reject unmasked frames when running as a WebSocket server
  • Added a test case to verify the server properly rejects unmasked frames with appropriate error handling
  • Added a new resource string for the error message

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.

File Description
src/libraries/System.Net.WebSockets/src/System/Net/WebSockets/ManagedWebSocket.cs Adds server-side validation to reject unmasked frames, mirroring the existing client-side check for masked frames
src/libraries/System.Net.WebSockets/tests/WebSocketTests.cs Adds test to verify server rejects unmasked frames and transitions to Aborted state
src/libraries/System.Net.WebSockets/src/Resources/Strings.resx Adds error message resource for unmasked frame rejection

@liveans
Update src/libraries/System.Net.WebSockets/tests/WebSocketTests.cs
74af74a 
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
CarnaViire
CarnaViire approved these changes Jan 22, 2026
View reviewed changes
Copy link
Member

@CarnaViire CarnaViire left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, thanks!

@liveans liveans enabled auto-merge (squash) January 22, 2026 12:50
@liveans liveans merged commit 777287d into dotnet:main Jan 22, 2026
89 checks passed
@dotnet-maestro dotnet-maestro bot mentioned this pull request Jan 23, 2026
Merged
@liveans
Copy link
Member Author

liveans commented Jan 27, 2026

/backport to release/10.0

@github-actions
Copy link
Contributor

github-actions bot commented Jan 27, 2026

Started backporting to release/10.0 (link to workflow run)

@github-actions github-actions bot mentioned this pull request Jan 27, 2026
Open
4 tasks
@liveans
Copy link
Member Author

liveans commented Jan 27, 2026

/backport to release/9.0-staging

@github-actions
Copy link
Contributor

github-actions bot commented Jan 27, 2026

Started backporting to release/9.0-staging (link to workflow run)

@github-actions github-actions bot mentioned this pull request Jan 27, 2026
Open
4 tasks
@liveans
Copy link
Member Author

liveans commented Jan 27, 2026

/backport to release/8.0-staging

@github-actions
Copy link
Contributor

github-actions bot commented Jan 27, 2026

Started backporting to release/8.0-staging (link to workflow run)

@github-actions
Copy link
Contributor

github-actions bot commented Jan 27, 2026

@liveans backporting to release/8.0-staging failed, the patch most likely resulted in conflicts. Please backport manually!

git am output 
$ git am --3way --empty=keep --ignore-whitespace --keep-non-patch changes.patch

Applying: Deny unmasked frame receive on server
.git/rebase-apply/patch:53: trailing whitespace.
            
warning: 1 line adds whitespace errors.
Using index info to reconstruct a base tree...
M	src/libraries/System.Net.WebSockets/src/Resources/Strings.resx
M	src/libraries/System.Net.WebSockets/src/System/Net/WebSockets/ManagedWebSocket.cs
M	src/libraries/System.Net.WebSockets/tests/WebSocketTests.cs
Falling back to patching base and 3-way merge...
Auto-merging src/libraries/System.Net.WebSockets/src/Resources/Strings.resx
Auto-merging src/libraries/System.Net.WebSockets/src/System/Net/WebSockets/ManagedWebSocket.cs
Auto-merging src/libraries/System.Net.WebSockets/tests/WebSocketTests.cs
CONFLICT (content): Merge conflict in src/libraries/System.Net.WebSockets/tests/WebSocketTests.cs
error: Failed to merge in the changes.
hint: Use 'git am --show-current-patch=diff' to see the failed patch
hint: When you have resolved this problem, run "git am --continue".
hint: If you prefer to skip this patch, run "git am --skip" instead.
hint: To restore the original branch and stop patching, run "git am --abort".
hint: Disable this message with "git config set advice.mergeConflict false"
Patch failed at 0001 Deny unmasked frame receive on server
Error: The process '/usr/bin/git' failed with exit code 128

Link to workflow output

@liveans liveans mentioned this pull request Jan 27, 2026
Open
4 tasks
@MihaZupan MihaZupan added this to the 11.0.0 milestone Jan 27, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@CarnaViire CarnaViire CarnaViire approved these changes

Assignees

@liveans liveans

Labels

area-System.Net

Projects

None yet

Milestone

11.0.0

Development

Successfully merging this pull request may close these issues.

3 participants

@liveans @CarnaViire @MihaZupan