Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

rack-protection: Don't track the Accept-Language header by default #1504

Merged
merged 1 commit into from
Dec 15, 2018
Merged

rack-protection: Don't track the Accept-Language header by default #1504

merged 1 commit into from
Dec 15, 2018

Conversation

temochka
Copy link
Contributor

The existing default is inappropriate for any applications that accept websocket connections.

Some browsers (e.g., Safari 12, Chrome 71) don't set the Accept-Language header for websocket requests. A mixture of requests with and without this header results in unavailable sessions in websocket handlers. This affects both Sinatra apps and other websocket apps using rack-protection in their middleware stack.

Considering the partial nature ("this will not prevent determined hijacking attempts") of the employed defense mechanism and current proliferation of TLS support on the web, I propose relaxing the defaults (the attached patch) or disabling the middleware altogether (happy to help with that too).

Attaching request dumps for 3 modern browsers retrieved by running socket = new WebSocket("ws://localhost:4669") from the Developer Console against a local netcat server (nc -l 127.0.0.1 4669).

Safari 12:

GET / HTTP/1.1
Upgrade: websocket
Connection: Upgrade
Host: localhost:4669
Origin: http://localhost:4666
Pragma: no-cache
Cache-Control: no-cache
Sec-WebSocket-Key: SeL+g6qVeCy+TSczXF7Wjw==
Sec-WebSocket-Version: 13
Sec-WebSocket-Extensions: x-webkit-deflate-frame
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.2 Safari/605.1.15
Cookie: [concealed]

Chrome 71:

GET / HTTP/1.1
Upgrade: websocket
Connection: Upgrade
Host: localhost:4669
Origin: http://localhost:4666
Pragma: no-cache
Cache-Control: no-cache
Sec-WebSocket-Key: JfgrzYvGA1oPtZLasrWOMQ==
Sec-WebSocket-Version: 13
Sec-WebSocket-Extensions: x-webkit-deflate-frame
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.2 Safari/605.1.15
Cookie: [concealed]

Firefox 63:

GET / HTTP/1.1
Host: localhost:4669
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:63.0) Gecko/20100101 Firefox/63.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Sec-WebSocket-Version: 13
Origin: http://localhost:4666
Sec-WebSocket-Extensions: permessage-deflate
Sec-WebSocket-Key: 06XKqwIb6Vs6idQ7ilvv5w==
Connection: keep-alive, Upgrade
Cookie: [concealed]
Pragma: no-cache
Cache-Control: no-cache
Upgrade: websocket

@temochka temochka closed this Dec 15, 2018
@temochka temochka reopened this Dec 15, 2018
@temochka
Copy link
Contributor Author

Update: The CI failure seems unrelated to changes in this branch. All tests pass on my local machine.

@namusyaka
Copy link
Member

@temochka Travis CI failure should be fixed in #1505 . Could you rebase and push again?

@temochka
Don't track the Accept-Language header by default.
6cf49c8 
Some modern browsers (e.g., Safari 12, Chrome 71) don't set the
Accept-Language header for websocket requests. A mixture of
requests with and without this header results in unavailable
sessions in websocket handlers due to the built-in Firesheep
protection.

The existing default is inappropriate for any applications
employing Rack sessions for websocket connections.
@temochka temochka force-pushed the websocket-empty-sessions branch from ff964d5 to 6cf49c8 Compare December 15, 2018 20:24
namusyaka
namusyaka approved these changes Dec 15, 2018
View reviewed changes
Copy link
Member

@namusyaka namusyaka left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks reasonable to me. Thanks!

@namusyaka namusyaka merged commit 38e5d63 into sinatra:master Dec 15, 2018
@temochka
Copy link
Contributor Author

Thanks, @namusyaka! 🎉

@jkowens jkowens mentioned this pull request Dec 21, 2018
Closed
netbsd-srcmastr pushed a commit to NetBSD/pkgsrc that referenced this pull request Mar 20, 2020
www/ruby-rack-protection: update to 2.0.8.1
cf49db8 
Update ruby-rack-protection to 2.0.8.1.


### rack-protection

* Don't track the Accept-Language header by default [#1504](sinatra/sinatra#1504) by Artem Chistyakov
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@namusyaka namusyaka namusyaka approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@temochka @namusyaka