From f18e5adf123221a1015be63e1ca2491ca45b8d10 Mon Sep 17 00:00:00 2001
From: Tobias Koppers <tobias.koppers@googlemail.com>
Date: Tue, 24 Jul 2018 18:57:43 +0200
Subject: [PATCH 1/2] check origin header for websocket connection

---
 lib/Server.js | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/lib/Server.js b/lib/Server.js
index 9f1992f733..c56fe79c33 100644
--- a/lib/Server.js
+++ b/lib/Server.js
@@ -513,13 +513,15 @@ Server.prototype.setContentHeaders = function (req, res, next) {
   next();
 };
 
-Server.prototype.checkHost = function (headers) {
+Server.prototype.checkHost = function (headers, headerToCheck) {
   // allow user to opt-out this security check, at own risk
   if (this.disableHostCheck) return true;
 
+  if (!headerToCheck) headerToCheck = "host";
+
   // get the Host header and extract hostname
   // we don't care about port not matching
-  const hostHeader = headers.host;
+  const hostHeader = headers[headerToCheck];
   if (!hostHeader) return false;
 
   // use the node url-parser to retrieve the hostname from the host-header.
@@ -589,6 +591,11 @@ Server.prototype.listen = function (port, hostname, fn) {
         conn.close();
         return;
       }
+      if (!this.checkHost(conn.headers, "origin")) {
+        this.sockWrite([conn], 'error', 'Invalid Origin header');
+        conn.close();
+        return;
+      }
       this.sockets.push(conn);
 
       conn.on('close', () => {

From 7b9c846c0ccee3764bb0eed678f79265d11b6f0b Mon Sep 17 00:00:00 2001
From: Tobias Koppers <tobias.koppers@googlemail.com>
Date: Fri, 21 Dec 2018 17:27:42 +0100
Subject: [PATCH 2/2] use single quotes

---
 lib/Server.js | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/lib/Server.js b/lib/Server.js
index 402d1f94ca..e1b2034acd 100644
--- a/lib/Server.js
+++ b/lib/Server.js
@@ -636,7 +636,7 @@ Server.prototype.checkHost = function (headers, headerToCheck) {
     return true;
   }
 
-  if (!headerToCheck) headerToCheck = "host";
+  if (!headerToCheck) headerToCheck = 'host';
   // get the Host header and extract hostname
   // we don't care about port not matching
   const hostHeader = headers[headerToCheck];
@@ -727,7 +727,7 @@ Server.prototype.listen = function (port, hostname, fn) {
         return;
       }
 
-      if (!this.checkHost(connection.headers) || !this.checkHost(connection.headers, "origin")) {
+      if (!this.checkHost(connection.headers) || !this.checkHost(connection.headers, 'origin')) {
         this.sockWrite([ connection ], 'error', 'Invalid Host/Origin header');
 
         connection.close();