Hello, I am a member of team developing an application for FirefoxOS. The application communicates with a remote server using WebSockets. In order to filter unwanted access the server rejects connections from unknown domains. After making some test we found that the Origin Field in the Application TCP stream is the app://< UUID > and since this UUID is generated randomly at install time we can’t know for sure the package name. Due to this issue we can’t filter requests based on this field.
Header: GET / HTTP/1.1 Host: 172.18.0.135:8787 User-Agent: Mozilla/5.0 (Mobile; rv:18.0) Gecko/18.0 Firefox/18.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Sec-WebSocket-Version: 13 Origin: app://18b5513c-003a-4a19-a06b-bfa6f133c550 Sec-WebSocket-Protocol: org.jwebsocket.json Sec-WebSocket-Key: mC6l4Br2L747ApD8F8vhLg== Connection: keep-alive, Upgrade Pragma: no-cache Cache-Control: no-cache Upgrade: websocket HTTP/1.1 101 Switching Protocols Upgrade: websocket Connection: Upgrade Sec-WebSocket-Accept: BeeGWnQ312E0MUCruIjn9mHMUsY= Sec-WebSocket-Protocol: org.jwebsocket.json Sec-WebSocket-Origin: app://18b5513c-003a-4a19-a06b-bfa6f133c550 Sec-WebSocket-Location: ws://172.18.0.135:8787/ Is this mechanism intended to change? Will there be any way to specify an application package name in order to overcome this limitation? We would expect at least that certified apps could be registered and a UUID could be given so that we can filter always the same UUID in the server connections. Best regards _______________________________________________ dev-b2g mailing list [email protected] https://lists.mozilla.org/listinfo/dev-b2g
