Missing web-standard headers
Hey,
Currently the WebSocket negotiation is not web-standard because some headers are missing. This can compromise the fact that bridges are WebTunnel bridges and not regular WebSocket servers actually used on the web. For example someone could send a HTTPS request to a bridge and immediately know that it's a "fake" WebSocket server based on the headers. Additionally, clients should also send some web-standards headers, just in case the plain request is seen by some MITM proxy like CloudFlare.
Client should send
-
User-Agent
with a spoofed user-agent like Chrome on Windows 11 -
Origin
with a spoofed origin (probably the same asHost
but withhttps://
) -
Cache-Control
with valueno-cache
-
Pragma
with valueno-cache
-
Accept-Language
with a spoofed value likeen-US,en
-
Sec-WebSocket-Key
with a base64-encoded random 16-bytes string
e.g. base64_padded(random(16))
=> a7ECc1UoTpaIpPbs0Mq8eA==
-
Sec-WebSocket-Version
with value13
(the latest WebSocket standard)
Server should respond
-
Sec-Websocket-Accept
with the base64-encoded SHA-1 of the concatenation of the value ofSec-WebSocket-Key
with258EAFA5-E914-47DA-95CA-C5AB0DC85B11
both took as utf8/ascii
e.g. base64_padded(sha1(concat(utf8_to_bytes(get("Sec-WebSocket-Key")), utf8_to_bytes("258EAFA5-E914-47DA-95CA-C5AB0DC85B11"))))
=> +ovyba4oZqzDi2gR26ncKXa9SCk=
-
Date
with the date of the response as<day-name>, <day> <month> <year> <hour>:<minute>:<second> GMT
I can work on this and make a pull request if needed.