Websocket hijacking by webpages

Does Meteor have anything that prevents webpages you are currently visiting from listening in to the localhost Meteor websocket connection? Seems to be a hot topic on Hacker News and there is a good article about it.

2 Likes

Wouldn’t they show up as a separate client/session, so wouldn’t get the same info as an authenticated DDP session?

Could be an issue when developing with autopublish if you used sensitive data in development

As for restricting ws to localhost, I tend to do some debugging over the network so I can test different environments, so either connect to an ip address or local mdns name, so I would want an escape hatch so I could keep doing so when I need to

1 Like

I tried this with several test apps (including autopublish/insecure) but no connections found. I think we should at least investigate if there is a successfull portscan with a dev environment and then make this a priority topic.

I think that’s just because the proof of concept site only checks for known Webpack / HMR sockets and ports. Meteor puts sockets on a different path under /sockjs

1 Like