|
|
|
|
|
|
by twic
1617 days ago
|
|
|
If you make a normal HTTP request first, the server can issue a standard HTTP cookie to the client. That cookie will then be included when the browser makes the websocket request. However, websockets are not subject to the same-origin policy, so this exposes you to CSRF [1]. To protect against that, you should check the Origin header on the server side. [1] https://christian-schneider.net/CrossSiteWebSocketHijacking.... |
|
|