Skip to content

Fail closed on web server WebSocket origins#112

Merged
Just-Insane merged 4 commits into
mainfrom
fix/ws-origin-fail-closed
Jul 9, 2026
Merged

Fail closed on web server WebSocket origins#112
Just-Insane merged 4 commits into
mainfrom
fix/ws-origin-fail-closed

Conversation

@Just-Insane

Copy link
Copy Markdown
Contributor

Summary

  • reject WebSocket upgrades when CHARM_WEB_SERVER_ALLOWED_ORIGIN is unset instead of allowing any origin
  • keep raw-body HTTP requests without an Origin header working while still rejecting disallowed origins
  • document that real charm-web-server deployments must set CHARM_WEB_SERVER_ALLOWED_ORIGIN explicitly; this repo does not currently include the production compose/systemd config to verify

Related

Tests

  • cargo fmt --check
  • CARGO_TARGET_DIR=.target-codex cargo test -p charm-web-server --test http_api -- --test-threads=1
  • CARGO_TARGET_DIR=.target-codex cargo test -p charm-web-server

Note: I also attempted CARGO_TARGET_DIR=.target-codex cargo clippy -p charm-web-server -- -D warnings, but invalidated that run by deleting the generated .target-codex directory while clippy was still using it. The completed package test above passed before that cleanup mistake.

@Just-Insane Just-Insane temporarily deployed to cloudflare-preview July 9, 2026 14:44 — with GitHub Actions Inactive
@Just-Insane Just-Insane marked this pull request as ready for review July 9, 2026 14:44
Copilot AI review requested due to automatic review settings July 9, 2026 14:44
@Just-Insane Just-Insane enabled auto-merge July 9, 2026 14:44
@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown

Web preview: https://pr-112-charm-preview.justin-tech.workers.dev

Built with VITE_CHARM_BUILD_TARGET=web and a same-origin /api/* Worker proxy so Strict session cookies work in authenticated preview flows.

@Just-Insane Just-Insane temporarily deployed to cloudflare-preview July 9, 2026 14:49 — with GitHub Actions Inactive

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR hardens charm-web-server’s WebSocket origin validation so misconfiguration of CHARM_WEB_SERVER_ALLOWED_ORIGIN no longer silently degrades to “allow any origin”, and updates tests/docs to reflect the new deployment contract.

Changes:

  • Make /api/ws fail closed when CHARM_WEB_SERVER_ALLOWED_ORIGIN is unset (reject upgrades rather than allowing any origin).
  • Adjust the raw-body origin guard so HTTP requests without an Origin header can still work, while requests with an Origin header are allowlist-checked.
  • Update http_api integration tests and the crate README to document the new required configuration for real deployments.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 3 comments.

File Description
crates/charm-web-server/src/routes.rs Switch WS origin behavior to fail-closed when the allowlist env var is unset; relax raw-body guard to permit requests that truly lack Origin.
crates/charm-web-server/tests/http_api.rs Add/adjust WS integration tests around origin behavior; refactor WS request construction.
crates/charm-web-server/README.md Document the stricter origin allowlist contract and explicitly require CHARM_WEB_SERVER_ALLOWED_ORIGIN for deployments.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread crates/charm-web-server/src/routes.rs Outdated
Comment thread crates/charm-web-server/tests/http_api.rs Outdated
Comment thread crates/charm-web-server/tests/http_api.rs

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 5d05b71940

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread crates/charm-web-server/src/routes.rs
@Just-Insane Just-Insane temporarily deployed to cloudflare-preview July 9, 2026 15:00 — with GitHub Actions Inactive
@Just-Insane Just-Insane temporarily deployed to cloudflare-preview July 9, 2026 15:04 — with GitHub Actions Inactive
@Just-Insane Just-Insane added this pull request to the merge queue Jul 9, 2026
@github-merge-queue github-merge-queue Bot removed this pull request from the merge queue due to failed status checks Jul 9, 2026
@Just-Insane Just-Insane added this pull request to the merge queue Jul 9, 2026
@github-merge-queue github-merge-queue Bot removed this pull request from the merge queue due to failed status checks Jul 9, 2026
@Just-Insane Just-Insane merged commit 1fa6c7c into main Jul 9, 2026
27 checks passed
@Just-Insane Just-Insane deleted the fix/ws-origin-fail-closed branch July 9, 2026 15:45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Security: charm-web-server WS handshake CORS falls back to allow-any-origin

2 participants