Verify websocket origin

[thekid]

Motivation

Note: All browsers send an Origin header. You can use this header for security (checking for same origin, automatically allowing or denying, etc.) and send a 403 Forbidden if you don't like what you see.

Source: https://developer.mozilla.org/en-US/docs/Web/API/WebSockets_API/Writing_WebSocket_servers

Usage

use web\handler\WebSocket;

// Uses same-origin policy by default
new WebSocket($handler);

// Also allow browsers to connect from example.com and subdomains using HTTPS
new WebSocket($handler, ['https://example.com', 'https://*.example.com']);

// Allow connecting from any host, e.g. for a websocket API
new WebSocket($handler, ['*']);

⚠️ However, be warned that non-browser agents can set the Origin header to any value. While this default measure is effective against Cross Site WebSocket Hijacking (CSWH), think about further measures like authentication.

See also

• https://cwe.mitre.org/data/definitions/1385.html
• https://github.com/gorilla/websocket/blob/main/server.go#L66
• https://www.christian-schneider.net/blog/cross-site-websocket-hijacking/
• https://stackoverflow.com/questions/23674199/why-is-there-no-same-origin-policy-for-websockets-why-can-i-connect-to-ws-loc

[thekid]

The more flexible version would have been:

use web\filters\VerifyOrigin;
use web\handler\WebSocket;

new VerifyOrigin(new WebSocket($handler), VerifyOrigin::SAMEORIGIN);

...but I wanted this handler to be more secure by default.