WebSocket returns 403 with nonmatching BASE_URL

[mpas97]

Previously, we have got 403 errors on the login page if the BASE_URL was not matching. This was reverted in plausible/analytics#4126, thank you. But the websocket that provides data eg. on the startpage still remains empty when using a different url.

ws://<domain>/live/websocket returns a 403 here, but accessing it with a matching base url works perfectly.

[mpas97]

Logs tell me the same:

[error] Could not check origin for Phoenix.Socket transport.

Origin of the request: http://localhost:8000

This happens when you are attempting a socket connection to
a different host than the one configured in your config/
files. For example, in development the host is configured
to "localhost" but you may be trying to access it from
"127.0.0.1". To fix this issue, you may either:

  1. update [url: [host: ...]] to your actual host in the
     config file for your current environment (recommended)

  2. pass the :check_origin option when configuring your
     endpoint or when configuring the transport in your
     UserSocket module, explicitly outlining which origins
     are allowed:

        check_origin: ["https://example.com",
                       "//another.com:888", "//other.com"]

[mpas97]

Maybe providing a variable allowing us to extend the check_origin domain array would be a solution? Or disable this check completely like the domain restriction was removed on the cookie? There were also different discussions opened by people using proxies, facing the same issue: plausible/analytics#4561 plausible/analytics#4163

[ruslandoga]

👋 @mpas97

Thank you for the report!

Please share more information about your configuration and why you have localhost as the origin of the request :)

---

Or disable this check completely like the domain restriction was removed on the cookie?

This might allow cross-origin WebSocket hijacking.