check origin header for websocket connection

Author: sokra

lib/Server.js

@@ -513,13 +513,15 @@ Server.prototype.setContentHeaders = function (req, res, next) {
   next();
 };
 
-Server.prototype.checkHost = function (headers) {
+Server.prototype.checkHost = function (headers, headerToCheck) {
   // allow user to opt-out this security check, at own risk
   if (this.disableHostCheck) return true;
 
+  if (!headerToCheck) headerToCheck = "host";
+
   // get the Host header and extract hostname
   // we don't care about port not matching
-  const hostHeader = headers.host;
+  const hostHeader = headers[headerToCheck];
   if (!hostHeader) return false;
 
   // use the node url-parser to retrieve the hostname from the host-header.
@@ -589,6 +591,11 @@ Server.prototype.listen = function (port, hostname, fn) {
         conn.close();
         return;
       }
+      if (!this.checkHost(conn.headers, "origin")) {
+        this.sockWrite([conn], 'error', 'Invalid Origin header');
+        conn.close();
+        return;
+      }
       this.sockets.push(conn);
 
       conn.on('close', () => {