This repository was archived by the owner on Apr 23, 2019. It is now read-only.
This repository was archived by the owner on Apr 23, 2019. It is now read-only.
Security issue with sameOriginCheck #57
Description
Hi,
On line 106 of file HomeController : https://github.com/playframework/play-java-websocket-example/blob/2.6.x/app/controllers/HomeController.java#L106, you are checking origin like that:
return origin.contains("localhost:9000") || origin.contains("localhost:19001");If someone sends an Origin header with the value localhost:90000 it will be valid even if this is not the same origin. I understand that the port 90000 doesn't exist at all, but imagine someone uses the following code (by simply modifying the code you provide):
return origin.contains("mydomain.com");It is still possible to do Cross-Site WebSocket Hijacking by using (buying) the domain amydomain.com.
I think it would be preferable to use the equals or equalsIgnoreCase method.