tracer: Validate Origin on WebSocket connection

To prevent abuse from untrusted web contents.
frida · Oct 19, 2024 · 03236f2 · 03236f2
1 parent bd67eb9
commit 03236f2
Showing 1 changed file with 10 additions and 0 deletions.
diff --git a/frida_tools/tracer.py b/frida_tools/tracer.py
@@ -340,6 +340,16 @@ def _handle_asset_request(
             self, connection: websockets.asyncio.server.ServerConnection, request: websockets.asyncio.server.Request
         ):
             if request.headers.get("Connection") == "Upgrade":
+                origin = request.headers.get("Origin")
+                if origin != f"http://localhost:{self._ui_port}":
+                    self._print(
+                        Fore.RED
+                        + Style.BRIGHT
+                        + "Warning"
+                        + Style.RESET_ALL
+                        + f": Cross-origin request from {origin} denied"
+                    )
+                    return connection.respond(http.HTTPStatus.FORBIDDEN, "Cross-origin request denied\n")
                 return
 
             raw_path = request.path.split("?", maxsplit=1)[0]