From e608c7f7aef772aa1fc1f73d0e4c8027bd79fc0b Mon Sep 17 00:00:00 2001
From: cc <codecolorist@gmail.com>
Date: Fri, 18 Oct 2024 23:48:19 +0200
Subject: [PATCH] validate Origin header on websocket connection

---
 frida_tools/tracer.py | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/frida_tools/tracer.py b/frida_tools/tracer.py
index 3fe8044..e100c2a 100644
--- a/frida_tools/tracer.py
+++ b/frida_tools/tracer.py
@@ -341,6 +341,17 @@ def _handle_asset_request(
             self, connection: websockets.asyncio.server.ServerConnection, request: websockets.asyncio.server.Request
         ):
             if request.headers.get("Connection") == "Upgrade":
+                origin = request.headers.get("Origin")
+                if origin != f"http://localhost:{self._ui_port}":
+                    self._print(
+                        Fore.RED
+                        + Style.BRIGHT
+                        + "Warning"
+                        + Style.RESET_ALL
+                        + f": Cross-origin request from {origin} denied"
+                    )
+                    return connection.respond(http.HTTPStatus.FORBIDDEN, 'Cross-origin request denied\n')
+
                 return
 
             raw_path = request.path.split("?", maxsplit=1)[0]