fix: harden control ui framing + ws origin

2026-05-09 16:54:31 +00:00 · 2026-02-03 16:00:57 -08:00
parent 0223416c61
commit 66d8117d44
11 changed files with 265 additions and 91 deletions
--- a/src/gateway/origin-check.test.ts
+++ b/src/gateway/origin-check.test.ts
@@ -0,0 +1,45 @@
+import { describe, expect, it } from "vitest";
+import { checkBrowserOrigin } from "./origin-check.js";
+
+describe("checkBrowserOrigin", () => {
+  it("accepts same-origin host matches", () => {
+    const result = checkBrowserOrigin({
+      requestHost: "127.0.0.1:18789",
+      origin: "http://127.0.0.1:18789",
+    });
+    expect(result.ok).toBe(true);
+  });
+
+  it("accepts loopback host mismatches for dev", () => {
+    const result = checkBrowserOrigin({
+      requestHost: "127.0.0.1:18789",
+      origin: "http://localhost:5173",
+    });
+    expect(result.ok).toBe(true);
+  });
+
+  it("accepts allowlisted origins", () => {
+    const result = checkBrowserOrigin({
+      requestHost: "gateway.example.com:18789",
+      origin: "https://control.example.com",
+      allowedOrigins: ["https://control.example.com"],
+    });
+    expect(result.ok).toBe(true);
+  });
+
+  it("rejects missing origin", () => {
+    const result = checkBrowserOrigin({
+      requestHost: "gateway.example.com:18789",
+      origin: "",
+    });
+    expect(result.ok).toBe(false);
+  });
+
+  it("rejects mismatched origins", () => {
+    const result = checkBrowserOrigin({
+      requestHost: "gateway.example.com:18789",
+      origin: "https://attacker.example.com",
+    });
+    expect(result.ok).toBe(false);
+  });
+});