[tmpfs]

This is interesting, thanks for sharing. I wonder if a remediation for the moment would be for local websocket servers to check the Host header before sending the 101 switch protocol response. Also would a CORS "Access-Control-Allow-Origin: localhost" prevent the connections being established?

[MajesticHobo2]

> Also would a CORS "Access-Control-Allow-Origin: localhost" prevent the connections being established?

WebSocket isn't bound by CORS, AFAIK.

[rndgermandude]

It is not subject to CORS, same as any regular img load isn't, but the browser will send an Origin header with websocket handshakes, which you're supposed to check server-side.

[nkozyra]

Given this is largely talking about sniffing development platforms, it could also require a nonce registered in the app and the frontend and only respond if that's sent via a header.

This would prevent having to worry about people who use other hostnames for host even in localdev.

[cjbprime]

The Host fix sounds right to me, local TCP web servers already have to do the same thing to avoid DNS rebinding attacks from external websites.