我想使用WebSockets进行应用程序的进程间通信(Daemon< - > WebGUI和Daemon< - > FatClient等)。在测试期间,我尝试通过websocket上的JavaScript WebSocket客户端连接到我本地运行的Web套接字服务器(ws:// localhost:1234)( www.websocket/echo.html 。
I'd like to use WebSockets for inter-process communication for my application (Daemon<->WebGUI and Daemon<->FatClient, etc.). During testing, I tried connecting to my locally running web socket server (ws://localhost:1234) via the JavaScript WebSocket client on websocket (www.websocket/echo.html).
我现在的问题是: 为什么会这样?浏览器中是否没有实现跨源策略(这里是:Linux上的FF29)?
My question now is: Why is this possible? Is there no cross-origin policy implemented in the browsers (here: FF29 on Linux)?
我在问,因为如果websocket是邪恶的,它可能会尝试与我的本地WS服务器通信,并将从localhost收到的每条消息重定向到任何其他服务器: / p>
I am asking because if websocket was evil, it could try to communicate with my local WS server and redirect every message it receives from localhost to any other server:
Local WebSocket Server Browser Evil Web Server at ws://localhost:1234 at evil.tld | | | | |------[GET /]--------->| | |<-----[HTML+EvilJS]----| |<------[connect ws://..]----| | |<----[some communication]-->| | | |----[evil forward]---->| | | |我没有测试过整个用例,但是来自websocket提供的JS连接到ws:// localhost肯定有效。
I have not tested the entire use case, but the connect to ws://localhost from the JS delivered by websocket definitely works.
推荐答案oberstet回答了问题。谢谢!不幸的是,我无法将其标记为正确,因为它是一个评论。浏览器发送origin标题,可以由应用程序检查。
oberstet answered the question. Thank you! Unfortunately I can't mark it as "correct" because it was a comment. The browser sends the "origin" header which can be checked by the application.
在Java [1]中:
In Java [1]:
@Override public void onOpen(WebSocket clientSocket, ClientHandshake handshake) { String clientOrigin = handshake.getFieldValue("origin"); if (clientOrigin == null || !clientOrigin.equals(WEBSOCKET_ALLOWED_ORIGIN_HEADER)) { logger.log(Level.WARNING, "Client did not sent correct origin header: " + clientOrigin); clientSocket.close(); return; } // ... }[1]使用 github/TooTallNate/Java-WebSocket
更多推荐
为什么WebSockets没有同源策略?为什么我可以连接到ws:// localhost?
发布评论