dograh

apunkt/dograh

Fork 0

mirror of https://github.com/dograh-hq/dograh.git synced 2026-06-10 08:05:22 +02:00

Commit graph

Author	SHA1	Message	Date
Abhishek Kumar	8b9059fbe2	chore: format release please changelogs	2026-06-02 13:42:55 +05:30
shiminshen	51ab9303ec	fix(webrtc): enforce embed allowed-domain policy on public signaling websocket (#388 ) The public WebRTC signaling WebSocket (`/public/signaling/{session_token}`) validated only the session token and its expiry, not the embed token's allowed-domain policy that the HTTP embed endpoints already enforce. A leaked or replayed session token could therefore attach to the signaling path from an arbitrary origin. Validate the request origin against `embed_token.allowed_domains` (reusing the existing `validate_origin` helper) before the signaling handoff, rejecting disallowed origins with a 1008 close — mirroring the HTTP embed endpoints. Closes #330 Co-authored-by: shiminshen <16914659+shiminshen@users.noreply.github.com>	2026-06-02 13:10:30 +05:30

Author

SHA1

Message

Date

Abhishek Kumar

8b9059fbe2

chore: format release please changelogs

2026-06-02 13:42:55 +05:30

shiminshen

51ab9303ec

fix(webrtc): enforce embed allowed-domain policy on public signaling websocket (#388 )

The public WebRTC signaling WebSocket (`/public/signaling/{session_token}`)
validated only the session token and its expiry, not the embed token's
allowed-domain policy that the HTTP embed endpoints already enforce. A leaked
or replayed session token could therefore attach to the signaling path from
an arbitrary origin.

Validate the request origin against `embed_token.allowed_domains` (reusing the
existing `validate_origin` helper) before the signaling handoff, rejecting
disallowed origins with a 1008 close — mirroring the HTTP embed endpoints.

Closes #330

Co-authored-by: shiminshen <16914659+shiminshen@users.noreply.github.com>

2026-06-02 13:10:30 +05:30

2 commits