Missing CSRF protection

Question

Missing CSRF protection

atx opened this issue 7 years ago · 2 comments

The websocket endpoint is missing CSRF (CSWSH) protection, allowing a malicious website to control the client.

var ws = new WebSocket("ws://127.0.0.1:8080/ws");
ws.onopen = function (event) {
    console.log("OPENED");
    setInterval(function () {
        ws.send("MPD_API_SET_PAUSE");
    }, 1000);
}
ws.onmessage = function (event) {
    console.log("Message " + event.data);
}

Answer 1 · 2017-06-11T10:40:38.000Z

Easiest solution is probably to implement the content security policy connect-src directive. So WebSocket connections are only allowed from the same origin.

Answer 2 · 2019-03-18T10:00:01.000Z

Easiest solution is probably to implement the content security policy connect-src directive. So WebSocket connections are only allowed from the same origin.

I don't think this would fix anything at all. The whole CSP is aimed at protecting a HTML page (so that a malicious injected script/resource cannot do much harm), but the reported vulnerability considers attacker connecting to the (unprotected) websocket endpoint. The endpoint itself has no notion of CSP/protection.