From 26d3a8ca80bf78946eca7ccdc5945c2ffc6ce8fb Mon Sep 17 00:00:00 2001
From: Felix Lange <fjl@twurst.com>
Date: Tue, 19 Feb 2019 11:49:43 +0100
Subject: [PATCH] rpc: skip websocket origin check if there is no origin header

---
 rpc/websocket.go | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/rpc/websocket.go b/rpc/websocket.go
index b8e067a5f2..6b986a914a 100644
--- a/rpc/websocket.go
+++ b/rpc/websocket.go
@@ -124,6 +124,13 @@ func wsHandshakeValidator(allowedOrigins []string) func(*websocket.Config, *http
 	log.Debug(fmt.Sprintf("Allowed origin(s) for WS RPC interface %v", origins.ToSlice()))
 
 	f := func(cfg *websocket.Config, req *http.Request) error {
+		// Skip origin verification if no Origin header is present. The origin check
+		// is supposed to protect against browser based attacks. Browsers always set
+		// Origin. Non-browser software can put anything in origin and checking it doesn't
+		// provide additional security.
+		if _, ok := req.Header["Origin"]; !ok {
+			return
+		}
 		// Verify origin against whitelist.
 		origin := strings.ToLower(req.Header.Get("Origin"))
 		if allowAllOrigins || origins.Contains(origin) {