Clear Origin header on websockets

Technically this removes Sec-Websocket-Origin, as that's what the current version of Netty uses. We'll need to change this on 1.18+. Closes ##1197.
2024-12-14 04:00:30 +00:00 · 2022-10-31 17:46:02 +00:00 · 2022-10-31 17:46:02 +00:00 · 4c5b3a6ee5
commit 4c5b3a6ee5
parent 7701b343fb
2 changed files with 40 additions and 2 deletions
--- a/src/main/java/dan200/computercraft/core/apis/http/websocket/NoOriginWebSocketHanshakder.java
+++ b/src/main/java/dan200/computercraft/core/apis/http/websocket/NoOriginWebSocketHanshakder.java
@ -0,0 +1,39 @@
+/*
+ * This file is part of ComputerCraft - http://www.computercraft.info
+ * Copyright Daniel Ratcliffe, 2011-2022. Do not distribute without permission.
+ * Send enquiries to dratcliffe@gmail.com
+ */
+package dan200.computercraft.core.apis.http.websocket;
+
+import io.netty.handler.codec.http.FullHttpRequest;
+import io.netty.handler.codec.http.HttpHeaderNames;
+import io.netty.handler.codec.http.HttpHeaders;
+import io.netty.handler.codec.http.websocketx.WebSocketClientHandshaker13;
+import io.netty.handler.codec.http.websocketx.WebSocketVersion;
+
+import java.net.URI;
+
+/**
+ * A version of {@link WebSocketClientHandshaker13} which doesn't add the {@link HttpHeaderNames#SEC_WEBSOCKET_ORIGIN}
+ * header to the original HTTP request.
+ */
+public class NoOriginWebSocketHanshakder extends WebSocketClientHandshaker13
+{
+    public NoOriginWebSocketHanshakder( URI webSocketURL, WebSocketVersion version, String subprotocol, boolean allowExtensions, HttpHeaders customHeaders, int maxFramePayloadLength )
+    {
+        super( webSocketURL, version, subprotocol, allowExtensions, customHeaders, maxFramePayloadLength );
+    }
+
+    @Override
+    protected FullHttpRequest newHandshakeRequest()
+    {
+        FullHttpRequest request = super.newHandshakeRequest();
+        HttpHeaders headers = request.headers();
+
+        if( !customHeaders.contains( HttpHeaderNames.SEC_WEBSOCKET_ORIGIN ) )
+        {
+            headers.remove( HttpHeaderNames.SEC_WEBSOCKET_ORIGIN );
+        }
+        return request;
+    }
+}
--- a/src/main/java/dan200/computercraft/core/apis/http/websocket/Websocket.java
+++ b/src/main/java/dan200/computercraft/core/apis/http/websocket/Websocket.java
@ -26,7 +26,6 @@ import io.netty.handler.codec.http.HttpHeaderNames;
 import io.netty.handler.codec.http.HttpHeaders;
 import io.netty.handler.codec.http.HttpObjectAggregator;
 import io.netty.handler.codec.http.websocketx.WebSocketClientHandshaker;
-import io.netty.handler.codec.http.websocketx.WebSocketClientHandshakerFactory;
 import io.netty.handler.codec.http.websocketx.WebSocketVersion;
 import io.netty.handler.ssl.SslContext;

@ -152,7 +151,7 @@ public class Websocket extends Resource<Websocket>
                        }

                        String subprotocol = headers.get( HttpHeaderNames.SEC_WEBSOCKET_PROTOCOL );
-                        WebSocketClientHandshaker handshaker = WebSocketClientHandshakerFactory.newHandshaker(
+                        WebSocketClientHandshaker handshaker = new NoOriginWebSocketHanshakder(
                            uri, WebSocketVersion.V13, subprotocol, true, headers,
                            options.websocketMessage <= 0 ? MAX_MESSAGE_SIZE : options.websocketMessage
                        );