Origin header validation on websocket connection (#2821)

diff --git a/src/ejabberd_http_ws.erl b/src/ejabberd_http_ws.erl
index 4b54e67ecff7cbcc89c5b36054f1ddf322434dcc..675c7114ebbffc054bd33f7c50bf89ae8c53f5d6 100644 (file)
--- a/src/ejabberd_http_ws.erl
+++ b/src/ejabberd_http_ws.erl
@@ -371,5 +371,7 @@ opt_type(websocket_ping_interval) ->
     fun (I) when is_integer(I), I >= 0 -> I end;
 opt_type(websocket_timeout) ->
     fun (I) when is_integer(I), I > 0 -> I end;
+opt_type(websocket_origin) ->
+    fun (O) -> O end;
 opt_type(_) ->
-    [websocket_ping_interval, websocket_timeout].
+    [websocket_ping_interval, websocket_timeout, websocket_origin].

diff --git a/src/ejabberd_websocket.erl b/src/ejabberd_websocket.erl
index 506ff142b6bb57df7adea8273761cdb10c679b8a..767c3837ba719c5c719e0011e697384e1c601d7f 100644 (file)
--- a/src/ejabberd_websocket.erl
+++ b/src/ejabberd_websocket.erl
@@ -66,7 +66,8 @@ check(_Path, Headers) ->
     RequiredHeaders = [{'Upgrade', <<"websocket">>},
                        {'Connection', ignore}, {'Host', ignore},
                        {<<"Sec-Websocket-Key">>, ignore},
-                       {<<"Sec-Websocket-Version">>, <<"13">>}],
+                       {<<"Sec-Websocket-Version">>, <<"13">>},
+                       {<<"Origin">>, get_origin()}],
 
     F = fun ({Tag, Val}) ->
                case lists:keyfind(Tag, 1, Headers) of
@@ -406,3 +407,6 @@ websocket_close(Socket, WsHandleLoopPid,
 websocket_close(Socket, WsHandleLoopPid, SocketMode, _CloseCode) ->
     WsHandleLoopPid ! closed,
     SocketMode:close(Socket).
+
+get_origin() ->
+    ejabberd_config:get_option({websocket_origin, ejabberd_config:get_myname()}, ignore).
\ No newline at end of file