鉴于没有相同来源的连接策略，WebSocket的安全性

Question

I am worried about the security implications of the fact that WebSockets can open connections to servers other than the one from which the script was loaded. Is there at least a plugin I can install that would tell me if a WebSocket is opening a connection to a non-originating server? I can imagine falling victim to a Cross Site Scripting attack, which then opens up a WebSocket to some malicious server.

Is this really a problem? If so, why is it allowed?

Answer 1

If you want to check whether a cross origin WebSocket is about to be opened then you can use this code:

(function(w) {
    var org_websocket = w.WebSocket,
        reg_host = location.host.replace(/[\-\[\]\/\{\}\(\)\*\+\?\.\\\^\$\|]/g, "\\$&");
        pattern = new RegExp("^(ws|wss)://"+reg_host+"(/.*)?$");

    w.WebSocket = function(url) {
        if (!pattern.test(url)) {
            alert("cross site websocket");
        }
        return new org_websocket(url);
    };
})(window);

If you ensure that it runs before any other script then you'll be in control. This is still not 100% secure since the original WebSocket class can be retrieved by other means ( iframes? ). And there are probably other security holes in JavaScript that I'm not aware of. On the other hand it is always possible to hack a client, you should not rely on that.

Now as for security. It is an issue and it can be a serious one. But on the other hand it cannot be prevented with simple HTTP either (JSONP). That's why cross site requests policy is getting weaker (it's a big restriction for normal developers while not being secure at all).

For example we already have Cross Origin Resource Sharing . So it is up to developers to ensure that their WebServers are secure (ie proper escaping of whatever a user passes to the server).