From aaac169a588462a9aea48556fcf401516615d158 Mon Sep 17 00:00:00 2001
From: Max Goodhart <c@chromakode.com>
Date: Thu, 2 Jul 2020 13:54:50 -0700
Subject: [PATCH] Validate Origin header for WebSocket requests

---
 src/node/server.js | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/src/node/server.js b/src/node/server.js
index 3604082..4d6f7ae 100644
--- a/src/node/server.js
+++ b/src/node/server.js
@@ -15,6 +15,7 @@ import websocket from 'koa-easy-ws'
 const webDistPath = path.join(app.getAppPath(), 'web')
 
 function initApp({ username, password, baseURL, getInitialState, onMessage }) {
+  const expectedOrigin = new URL(baseURL).origin
   const sockets = new Set()
 
   const app = new Koa()
@@ -38,6 +39,11 @@ function initApp({ username, password, baseURL, getInitialState, onMessage }) {
   app.use(
     route.get('/ws', async (ctx) => {
       if (ctx.ws) {
+        if (ctx.headers.origin !== expectedOrigin) {
+          ctx.status = 403
+          return
+        }
+
         const ws = await ctx.ws()
         sockets.add(ws)