fix: check origin header for websocket connection (#1603)

Author: sokra

lib/Server.js

@@ -630,14 +630,16 @@ Server.prototype.setContentHeaders = function (req, res, next) {
   next();
 };
 
-Server.prototype.checkHost = function (headers) {
+Server.prototype.checkHost = function (headers, headerToCheck) {
   // allow user to opt-out this security check, at own risk
   if (this.disableHostCheck) {
     return true;
   }
+
+  if (!headerToCheck) headerToCheck = 'host';
   // get the Host header and extract hostname
   // we don't care about port not matching
-  const hostHeader = headers.host;
+  const hostHeader = headers[headerToCheck];
 
   if (!hostHeader) {
     return false;
@@ -725,8 +727,8 @@ Server.prototype.listen = function (port, hostname, fn) {
         return;
       }
 
-      if (!this.checkHost(connection.headers)) {
-        this.sockWrite([ connection ], 'error', 'Invalid Host header');
+      if (!this.checkHost(connection.headers) || !this.checkHost(connection.headers, 'origin')) {
+        this.sockWrite([ connection ], 'error', 'Invalid Host/Origin header');
 
         connection.close();