Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How can I override the Origin header in Chrome when connecting to a WebSocket?

I am trying to connect to an external web socket server, which is not run by myself. I would like to connect to it from a localhost javascript file, therefore the origin header has null value.

I understand that this is a measure against cross-site forgery. However, since I am on localhost, I should be able to fake this, by getting Chrome to send a custom Origin header.

Is it possible? (if I need an extension, that is fine)

If not, what is my best option to achieve the above? Thank you.

like image 479
David Frank Avatar asked May 17 '15 19:05

David Frank


People also ask

How do I override origin header?

The browser is solely responsible for setting the Origin header. The Origin header is always present on cross-origin requests, and the client has no way of setting or overriding the value.

Can Chrome extensions bypass CORS?

The only solution is to add permissions to your manifest. These can be partially-regexed, for example: "permissions": [ "*://*. twitter.com/*" ], . Thankfully, there is no way for an extension to completely bypass Chrome's own CORS policy.

How do I fix strict origin on cross-origin Chrome?

You can already try out the change starting from Chrome 81: visit chrome://flags/#reduced-referrer-granularity in Chrome and enable the flag. When this flag is enabled, all websites without a policy will use the new strict-origin-when-cross-origin default.

How do I pass header URL in Google Chrome browser?

In Chrome, visit a URL, right click , select Inspect to open the developer tools. Select Network tab. Reload the page, select any HTTP request on the left panel, and the HTTP headers will be displayed on the right panel.


1 Answers

As far as I know this will not be possible, it would break the security guards against CSRF in Chrome.

If you were able to do that the whole concept of XHR would fall apart.

Here is an Extension you can use to manipulate header on the fly, but so far I have not been able to get it to manipulate socket headers.

Look here if you want to read more about this.

But this doesn't stop you from implementing your own client (in place of chrome) where you can literally send whatever headers you want, not sure if this helps you, sorry.

like image 171
tato Avatar answered Sep 29 '22 15:09

tato