Hi fellow Wicketers, I have a question regarding CSWH. I was reading this article recently: http://www.notsosecure.com/blog/2014/11/27/how-cross-site-websocket-hijacking-could-lead-to-full-session-compromise/
It made me wondering how can I implement my protection against this kind of attack? My tests show me that WebSocketBehavior is prone to this kind of attack simply out-of-the-box. I am using wicket-native-websocket-jetty9 version 7.0.0-M5. I was thinking about implementing a custom WebSocketBehavior and overriding the onConnect method, so I can get the Origin header and reject the connection request if it's not matching the originator host. But ConnectedMessage doesn't provide the headers. So does anybody have any suggestions how to implement this? Or maybe I miss the point and this should be implemented completely differently? Thank you, Gergely Nagy
