Improved WS reconnect closures and increased connection batching interval #296
Conversation
…nt prevent sockets from openening for the same channels between views
… recent/active connection
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
src/realtime/MCWSStreamWorkerScript.js
Dismissed
| } | ||
| }; | ||
| worker = new MCWSStreamWorker(); | ||
| self.onmessage = function (messageEvent) { |
Check warning
Code scanning / CodeQL
Missing origin verification in `postMessage` handler Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 9 months ago
To fix the problem, we need to verify the origin of incoming messages in the onmessage handler. This involves checking the origin property of the messageEvent object against a list of trusted origins. If the origin is not trusted, the message should be ignored.
- Define a list of trusted origins.
- Modify the
onmessagehandler to check the origin of the incoming message. - Only process the message if the origin is in the list of trusted origins.
| @@ -313,3 +313,7 @@ | ||
| worker = new MCWSStreamWorker(); | ||
| const trustedOrigins = ['https://www.example.com']; | ||
| self.onmessage = function (messageEvent) { | ||
| if (!trustedOrigins.includes(messageEvent.origin)) { | ||
| return; | ||
| } | ||
| const data = messageEvent.data; |
There was a problem hiding this comment.
Note to you and myself, @jvigliotta , you had triaged and addressed this type of security alert before as a non-issue. We should be sure to address this one too before this goes into patch release, so we can provide a scan for this release.
jvigliotta
changed the title
|
closes #292
closes #293
Updated Realtime code to ES6 classes/syntax.
Increase reconnect debounce time from 10ms to 100ms to add additional time for connection batching.
When closing WebSockets (due to no subscribers or because of updated filters/topics) suppress any errors. In high latency environments, these sockets can be closed before even connecting, which will throw errors. Other errors can pop up due to high latency environments that are not useful to the end user as these connections are no longer being used (either being replaced with a new connection, once that connection opens so no data is lost or because there are no subscribers). These errors just cause confusion and serve no informational purpose.