Merge pull request #14214 from skateman/websocket-forwarded-for

Fetch the allowed WebSocket origin from the XFH header when possible
ManageIQ · Mar 8, 2017 · dd2f00d · dd2f00d
2 parents cf439c2 + a2b70a9
commit dd2f00d
Showing 1 changed file with 2 additions and 1 deletion.
diff --git a/lib/websocket_server.rb b/lib/websocket_server.rb
@@ -99,6 +99,7 @@ def not_found
   # Primitive same-origin policy checking in production
   def same_origin_as_host?(env)
     proto = Rack::Request.new(env).ssl? ? 'https' : 'http'
-    Rails.env.development? || env['HTTP_ORIGIN'] == "#{proto}://#{env['HTTP_HOST']}"
+    host = env['HTTP_X_FORWARDED_HOST'] ? env['HTTP_X_FORWARDED_HOST'].split(/,\s*/).first : env['HTTP_HOST']
+    Rails.env.development? || env['HTTP_ORIGIN'] == "#{proto}://#{host}"
   end
 end