[mic159]

With websockets, it's actually up to the server to implement the cross origin detection. The library used in this application does not implement any protection.

So it's possible for any page on the net (eg evil.com) to connect to your socket and exfiltrate any data.

Make sure all tabs are closed and never visit any sites with advertising on it while this is running.

[kingosticks]

This is important and the library in use here doesn't support this[1]. I'd stick to something more mature e.g. Tornado.

[1]: https://github.com/Pithikos/python-websocket-server/issues/1...

[rad_gruchalski]

But this example works and, I assume, is intended to work over localhost. How would cross origin detection work in this case?

[mic159]

The websocket server needs to check the "Origin" header from the client. The code then needs to know what is expected (eg localhost or 127.0.0.q). If the origin header is something like "evil.xyz.com", then it needs to reject the connection.

[rad_gruchalski]

Yes, I understand how origin verification is done. Nothing stops any other local app to make make a WS connection to this app's server and pretend it is making valid requests while, potentially, executing destructive actions or stealing data.

I understand that the generic answer will be along the lines: "well, if you have local access, you're never safe", but there is zero protection here. Anything local can connect to it and impersonate the "front end".

[kingosticks]

An example is at https://www.tornadoweb.org/en/stable/websocket.html#tornado....