-
Notifications
You must be signed in to change notification settings - Fork 762
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ExpectOrigin as a cmdline option #435
Comments
websockify is more of a testing tool than a production ready system, so any authentication should be taken with some caution. I don't think we should remove this, but we could put some comment on it about risks. |
Origin can be spoofed by a malicious program, but not by a webpage. This distinction is relevant to mitigating the following scenario:
The risks of operating websockify on a LAN without ExpectOrigin should not be understated. |
Imho ExpectOrigin should not be an authentication method but an option one can pass on the command line.
It adds another obstacle for a malicious user to overcome but should not be relied upon for authentication because Origin can be spoofed.
The text was updated successfully, but these errors were encountered: