What’s wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs
Takeaways:
Others?
The origin header is trivial to modify, so not worth checking.
The rest doesn't apply to us: we handle the websocket layer directly so it can't be misused to access other services, we have our own authentication modules already, and tighter restrictions can be added using firewall / proxies..
this ticket has been moved to: https://github.com/Xpra-org/xpra/issues/2471