You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@wicket.apache.org by "Martin Grigorov (JIRA)" <ji...@apache.org> on 2015/04/10 15:56:13 UTC
[jira] [Resolved] (WICKET-5860) Cross-Site Websocket Hijacking
protection
[ https://issues.apache.org/jira/browse/WICKET-5860?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Martin Grigorov resolved WICKET-5860.
-------------------------------------
Resolution: Fixed
Fix Version/s: 7.0.0-M6
Thanks!
> Cross-Site Websocket Hijacking protection
> -----------------------------------------
>
> Key: WICKET-5860
> URL: https://issues.apache.org/jira/browse/WICKET-5860
> Project: Wicket
> Issue Type: Improvement
> Components: wicket-native-websocket
> Affects Versions: 7.0.0-M5
> Environment: Jetty 9.0.x
> Reporter: Gergely Nagy
> Assignee: Martin Grigorov
> Fix For: 7.0.0-M6
>
>
> I am opening this issue according to our short discussion with [~mgrigorov] on the users' mailing list:
> http://www.mail-archive.com/users@wicket.apache.org/msg86479.html
> Basically when somebody using a WebSocketBehavior then the application is prone to Cross-Site hijacking.
> The WebSocketBehavior onConnect() method is not receiving the request headers so it's hard to make proper protection there. So we need a workaround for this.
> One workaround might be modifying the AbstractWebSocketProcessor.
> I made a quick modification here:
> https://github.com/Fogetti/wicket/commit/f2f83b14371f518fff71a7b18d6f292df8de0221
> I am usually very bad at naming, so the class/interface names should be definitely changed.
> Other than that, I also quickly read how to compare origins:
> https://tools.ietf.org/html/rfc6454#page-11
> And how to respond to this issue (send 403 forbidden and abort the handshake):
> https://tools.ietf.org/html/rfc6455#section-4.2.2
> But I don't know how to do these things in the processor. :(
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)