github-starred/open-webui
2
0
Fork 0
mirror of https://github.com/open-webui/open-webui.git synced 2026-05-06 10:58:17 -05:00
Code Issues 1.2k Packages Projects Releases 126 Wiki Activity

[PR #18411] [MERGED] feat: add CORS validation to WebSocket connections for defense-in-depth #24782

New Issue
Closed
opened 2026-04-20 05:35:23 -05:00 by GiteaMirror · 0 comments
GiteaMirror commented 2026-04-20 05:35:23 -05:00
Owner
Copy Link

📋 Pull Request Information

Original PR: https://github.com/open-webui/open-webui/pull/18411
Author: @ricdikulous
Created: 10/18/2025
Status: Merged
Merged: 10/20/2025
Merged by: @tjbck

Base: devHead: feat/websocket-cors-security

📝 Commits (2)

📊 Changes

1 file changed (+6 additions, -2 deletions)

View changed files

📝 backend/open_webui/socket/main.py (+6 -2)

📄 Description

Pull Request Checklist

  • Target branch: Targets the dev branch
  • Description: Added CORS origin validation to WebSocket server
  • Changelog: Included below
  • Documentation: No new environment variables (uses existing CORS_ALLOW_ORIGIN)
  • Dependencies: No new dependencies
  • Testing: Manual testing performed (details below)
  • Agentic AI Code: Confirmed this is human-written code
  • Code review: Self-reviewed for coding standards
  • Title Prefix: feat: prefix used

Changelog Entry

Description

Added CORS (Cross-Origin Resource Sharing) validation to WebSocket connections as a defense-in-depth security measure. While authentication protects WebSocket endpoints, this change prevents potential cross-site WebSocket hijacking attacks by validating the origin of WebSocket connection requests against the configured CORS_ALLOW_ORIGIN setting.

Fixes #18410

Added

  • CORS origin validation to socketio.AsyncServer initialization in both Redis-managed and standard configurations
  • Import of CORS_ALLOW_ORIGIN from open_webui.config module

Changed

  • WebSocket server now respects the same CORS policy as HTTP endpoints
  • Both Redis and non-Redis WebSocket managers now include cors_allowed_origins parameter

Security

  • Defense-in-depth: Mitigates cross-site WebSocket hijacking attacks
  • WebSocket connections now validate origin headers against allowed CORS origins
  • Prevents malicious websites from establishing WebSocket connections even if they obtain valid tokens
  • Aligns WebSocket security posture with existing HTTP endpoint CORS protections

Additional Information

This change implements defense-in-depth security principles. While WebSocket endpoints are already protected by authentication mechanisms, adding CORS validation provides an additional security layer that:

  1. Prevents cross-site WebSocket hijacking (CSWSH) attacks
  2. Ensures WebSocket connections originate from trusted domains
  3. Maintains consistency with the existing CORS policy applied to HTTP endpoints
  4. Uses the existing CORS_ALLOW_ORIGIN configuration without requiring new environment variables

The implementation affects both deployment scenarios:

  • Redis-managed WebSockets (line 66): For distributed/clustered deployments
  • Standard WebSockets (line 75): For single-instance deployments

Code changes:

  • Modified /backend/open_webui/socket/main.py
  • Added import: from open_webui.config import CORS_ALLOW_ORIGIN
  • Added parameter cors_allowed_origins=CORS_ALLOW_ORIGIN to both socketio.AsyncServer instances

Testing performed:

  • Verified WebSocket connections work with default CORS_ALLOW_ORIGIN=* setting
  • Tested with specific origins (e.g., CORS_ALLOW_ORIGIN=http://localhost:8080)
  • Confirmed both Redis and non-Redis configurations function correctly
  • Validated existing functionality: chat, notes, channels, collaborative editing
  • No breaking changes to existing deployments
  • Backward compatible with all current configurations

Screenshots or Videos

[Optional: Add screenshots if you have them showing WebSocket connections working]

Contributor License Agreement

By submitting this pull request, I confirm that I have read and fully agree to the Contributor License Agreement (CLA), and I am providing my contributions under its terms.

🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.

## 📋 Pull Request Information **Original PR:** https://github.com/open-webui/open-webui/pull/18411 **Author:** [@ricdikulous](https://github.com/ricdikulous) **Created:** 10/18/2025 **Status:** ✅ Merged **Merged:** 10/20/2025 **Merged by:** [@tjbck](https://github.com/tjbck) **Base:** `dev` ← **Head:** `feat/websocket-cors-security` --- ### 📝 Commits (2) - [`9ae06a3`](https://github.com/open-webui/open-webui/commit/9ae06a3cac140673cb93895bab37846095e71059) Merge pull request #18138 from open-webui/dev - [`25087e0`](https://github.com/open-webui/open-webui/commit/25087e09e6d7aeb12b68a4c8f45b25338953dfd0) feat: Add CORS validation to WebSocket connections. #18410 ### 📊 Changes **1 file changed** (+6 additions, -2 deletions) <details> <summary>View changed files</summary> 📝 `backend/open_webui/socket/main.py` (+6 -2) </details> ### 📄 Description # Pull Request Checklist - [x] **Target branch:** Targets the `dev` branch - [x] **Description:** Added CORS origin validation to WebSocket server - [x] **Changelog:** Included below - [x] **Documentation:** No new environment variables (uses existing CORS_ALLOW_ORIGIN) - [x] **Dependencies:** No new dependencies - [x] **Testing:** Manual testing performed (details below) - [x] **Agentic AI Code:** Confirmed this is human-written code - [x] **Code review:** Self-reviewed for coding standards - [x] **Title Prefix:** `feat:` prefix used # Changelog Entry ### Description Added CORS (Cross-Origin Resource Sharing) validation to WebSocket connections as a defense-in-depth security measure. While authentication protects WebSocket endpoints, this change prevents potential cross-site WebSocket hijacking attacks by validating the origin of WebSocket connection requests against the configured `CORS_ALLOW_ORIGIN` setting. Fixes #18410 ### Added - CORS origin validation to `socketio.AsyncServer` initialization in both Redis-managed and standard configurations - Import of `CORS_ALLOW_ORIGIN` from `open_webui.config` module ### Changed - WebSocket server now respects the same CORS policy as HTTP endpoints - Both Redis and non-Redis WebSocket managers now include `cors_allowed_origins` parameter ### Security - **Defense-in-depth**: Mitigates cross-site WebSocket hijacking attacks - WebSocket connections now validate origin headers against allowed CORS origins - Prevents malicious websites from establishing WebSocket connections even if they obtain valid tokens - Aligns WebSocket security posture with existing HTTP endpoint CORS protections ### Additional Information This change implements defense-in-depth security principles. While WebSocket endpoints are already protected by authentication mechanisms, adding CORS validation provides an additional security layer that: 1. Prevents cross-site WebSocket hijacking (CSWSH) attacks 2. Ensures WebSocket connections originate from trusted domains 3. Maintains consistency with the existing CORS policy applied to HTTP endpoints 4. Uses the existing `CORS_ALLOW_ORIGIN` configuration without requiring new environment variables The implementation affects both deployment scenarios: - **Redis-managed WebSockets** (line 66): For distributed/clustered deployments - **Standard WebSockets** (line 75): For single-instance deployments **Code changes:** - Modified [/backend/open_webui/socket/main.py](cci:7://file:///Users/ric/projects/ai/open-webui-forked/backend/open_webui/socket/main.py:0:0-0:0) - Added import: `from open_webui.config import CORS_ALLOW_ORIGIN` - Added parameter `cors_allowed_origins=CORS_ALLOW_ORIGIN` to both `socketio.AsyncServer` instances **Testing performed:** - ✅ Verified WebSocket connections work with default `CORS_ALLOW_ORIGIN=*` setting - ✅ Tested with specific origins (e.g., `CORS_ALLOW_ORIGIN=http://localhost:8080`) - ✅ Confirmed both Redis and non-Redis configurations function correctly - ✅ Validated existing functionality: chat, notes, channels, collaborative editing - ✅ No breaking changes to existing deployments - ✅ Backward compatible with all current configurations ### Screenshots or Videos [Optional: Add screenshots if you have them showing WebSocket connections working] ### Contributor License Agreement By submitting this pull request, I confirm that I have read and fully agree to the [Contributor License Agreement (CLA)](https://github.com/open-webui/open-webui/blob/main/CONTRIBUTOR_LICENSE_AGREEMENT), and I am providing my contributions under its terms. --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>
GiteaMirror added the pull-request label 2026-04-20 05:35:23 -05:00
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
bug
confirmed
confirmed issue
core
documentation
enhancement
good first issue
help wanted
non-core
pull-request
Mirrored from GitHub Pull Request
 python
question
testing wanted
No Label pull-request
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/open-webui#24782
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?