New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Reject invalid "Sec-WebSocket-Key" headers from clients #360
Conversation
@nhooyr this was brought up by a security consultant. Would be great to get this in so we do not need to handle this at a layer above the websocket library. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Will get this in for v1.8.8. But I need to mention that it was entirely intentional on my end as it's a useless check mandated by the RFC. This isn't a security issue whatsoever and so I decided to ignore the RFC here and not waste CPU cycles on checking. But I can understand that as this library gets more usage it's important to stick to the letter of the RFC to satisfy consultants and process.
Also for anyone testing their websocket implementation against my own, it's good to error here as other libraries may not be flexible.
Will fix the merge conflicts myself. |
Client "Sec-WebSocket-Key" should be a valid 16 byte base64 encoded nonce. If the header is not valid, the server should reject the client.
06f53e9
to
305eab9
Compare
Client "Sec-WebSocket-Key" should be a valid 16 byte base64 encoded nonce. If the header is not valid, the server should reject the client.