How can I override the Origin header in Chrome when connecting to a WebSocket?

Question

I am trying to connect to an external web socket server, which is not run by myself. I would like to connect to it from a localhost javascript file, therefore the origin header has null value.

I understand that this is a measure against cross-site forgery. However, since I am on localhost, I should be able to fake this, by getting Chrome to send a custom Origin header.

Is it possible? (if I need an extension, that is fine)

If not, what is my best option to achieve the above? Thank you.

Answer 1

in C# System.Net.WebSockets.ClientWebSocket you can set the User Agent header. this is required by some vendors for security purposes.

//set the headers 
socket.Options.SetRequestHeader("Authorization", authInfo.AuthToken);
//required, used for Auth on cara cloud side 
socket.Options.SetRequestHeader("User-Agent", "XYZ Cara Connector"); 

Answer 2

It depends how you want to use your chrome browser. Since you mention localhost I assume you develop and will use this for some kind of scraping. I suggest that you explore Chrome DevTools Protocol which will render (almost) any kind of protection useless because you use a real browser. CORS, Origin, Cookie or any arbitrary header value will be under your control, and you can send a custom header for xhr/websocket request(s). If you want to manipulate in a more advanced way you can use Network.continueInterceptedRequest. You might only want to start chrome using parameters like "--disable-web-security, --disable-xss-auditor, --disable-client-side-phishing-detection, --allow-insecure-localhost" more about such options at peter.sh. However, the last option require a plugin in order to spoof origin header so I recommend the first option.

Answer 3

Web pages cannot change the Origin header, but extensions can modify the request headers via the chrome.webRequest API. But ws:// and wss:// are not supported by this API, so this doesn't help unless the server also supports other means of communication via http(s) (e.g. long-polling).

There is still a solution though: Simply load a (known) web page at the desired origin in an iframe (e.g. https://example.com/favicon.ico or https://example.com/robots.txt) and use a content script to open the WebSocket from there.

Answer 4

The Origin header is one of the headers that are set automatically by the user agent (as part of the browser implementation), and cannot be altered programatically or through extensions. This makes sense because web service providers cannot allow random connections from localhosts.

You can connect to an external WebSocket only if you do it from a host explicitly accepted by the web service provider. Many headers cannot be trusted (because they can be overridden), but this is not the case with Origin as it offers security not only for users, but also for service providers against unwanted connections.

Answer 5

As far as I know this will not be possible, it would break the security guards against CSRF in Chrome.

If you were able to do that the whole concept of XHR would fall apart.

Here is an Extension you can use to manipulate header on the fly, but so far I have not been able to get it to manipulate socket headers.

Look here if you want to read more about this.

But this doesn't stop you from implementing your own client (in place of chrome) where you can literally send whatever headers you want, not sure if this helps you, sorry.