Hi, Please file a ticket at JIRA. I think the check should be added at org.apache.wicket.protocol.ws.api.AbstractWebSocketProcessor#AbstractWebSocketProcessor(HttpServletRequest, WebApplication) so that it is available for all native integrations. We can also add a setting in WebSocketSettings to switch the check off if this is needed.
WebSocketBehavior#onConnect() is just a notification to the application code that there is a connection. Patch/Pull Request would be very welcome! Thank you! Martin Grigorov Freelancer, available for hire! Wicket Training and Consulting https://twitter.com/mtgrigorov On Wed, Mar 18, 2015 at 8:42 AM, Gergely Nagy <foge...@gmail.com> wrote: > Hi fellow Wicketers, > > I have a question regarding CSWH. I was reading this article recently: > > http://www.notsosecure.com/blog/2014/11/27/how-cross-site-websocket-hijacking-could-lead-to-full-session-compromise/ > > It made me wondering how can I implement my protection against this kind of > attack? My tests show me that WebSocketBehavior is prone to this kind of > attack simply out-of-the-box. > > I am using wicket-native-websocket-jetty9 version 7.0.0-M5. > > I was thinking about implementing a custom WebSocketBehavior and overriding > the onConnect method, so I can get the Origin header and reject the > connection request if it's not matching the originator host. > > But ConnectedMessage doesn't provide the headers. So does anybody have any > suggestions how to implement this? Or maybe I miss the point and this > should be implemented completely differently? > > Thank you, > Gergely Nagy >