Xpra: Ticket #2471: review websockets layer security

What’s wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs

Takeaways:

Others?



Thu, 05 Mar 2020 10:42:06 GMT - Antoine Martin: status, milestone changed


Sat, 17 Oct 2020 16:59:48 GMT - Antoine Martin: status changed; resolution set

The origin header is trivial to modify, so not worth checking.

The rest doesn't apply to us: we handle the websocket layer directly so it can't be misused to access other services, we have our own authentication modules already, and tighter restrictions can be added using firewall / proxies..


Sat, 23 Jan 2021 05:52:10 GMT - migration script:

this ticket has been moved to: https://github.com/Xpra-org/xpra/issues/2471