WebSocket always defers the decision to the server, because it didn't have to deal with legacy compatibility... but the same-origin policy is still a reasonable default. Origin checks do not protect against a directly connecting attacker -- they can lie about their host, but can also lie about their origin. Origin checks protect against a connection from 3rd-party controlled script in a context where a victim browser's cookies will be passed along. And if an attacker has breached that protection, they've already compromised the HTTP session, so treating the WebSocket connection in the same way seems reasonable. In case this logic proves incorrect (or anyone just wants to be more paranoid), we retain a config option to disable it.
999 B
-
Permit same-origin connections by default.
New option
config.action_cable.allow_same_origin_as_host = false
to disable.Dávid Halász, Matthew Draper
-
Prevent race where the client could receive and act upon a subscription confirmation before the channel's
subscribed
method completed.Fixes #25381.
Vladimir Dementyev
-
Buffer writes to websocket connections, to avoid blocking threads that could be doing more useful things.
Matthew Draper, Tinco Andringa
-
Protect against concurrent writes to a websocket connection from multiple threads; the underlying OS write is not always threadsafe.
Tinco Andringa
-
Add ActiveSupport::Notifications hook to Broadcaster#broadcast.
Matthew Wear
-
Close hijacked socket when connection is shut down.
Fixes #25613.
Tinco Andringa
Please check 5-0-stable for previous changes.