- Notifications
You must be signed in to change notification settings - Fork329
Reject invalid "Sec-WebSocket-Key" headers from clients#360
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.
Already on GitHub?Sign in to your account
Uh oh!
There was an error while loading.Please reload this page.
Conversation
@nhooyr this was brought up by a security consultant. Would be great to get this in so we do not need to handle this at a layer above the websocket library. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
Will get this in for v1.8.8. But I need to mention that it was entirely intentional on my end as it's a useless check mandated by the RFC. This isn't a security issue whatsoever and so I decided to ignore the RFC here and not waste CPU cycles on checking. But I can understand that as this library gets more usage it's important to stick to the letter of the RFC to satisfy consultants and process.
Also for anyone testing their websocket implementation against my own, it's good to error here as other libraries may not be flexible.
Will fix the merge conflicts myself. |
Client "Sec-WebSocket-Key" should be a valid 16 byte base64 encodednonce. If the header is not valid, the server should reject theclient.
Client "Sec-WebSocket-Key" should be a valid 16 byte base64 encoded nonce. If the header is not valid, the server should reject the client.