Validate Origin of browser dialer page

Fix https://github.com/XTLS/Xray-core/issues/3236

common/platform/platform.go

@@ -21,6 +21,7 @@ const (
 
 	BufferSize           = "xray.ray.buffer.size"
 	BrowserDialerAddress = "xray.browser.dialer"
+	BrowserDialerOrigin = "xray.browser.dialer.origin"
 	XUDPLog              = "xray.xudp.show"
 	XUDPBaseKey          = "xray.xudp.basekey"
 )

transport/internet/websocket/dialer.go

@@ -26,18 +26,32 @@ var conns chan *websocket.Conn
 
 func init() {
 	addr := platform.NewEnvFlag(platform.BrowserDialerAddress).GetValue(func() string { return "" })
-	if addr != "" {
+
+    if addr != "" {
+        allowedOrigin := platform.NewEnvFlag(platform.BrowserDialerOrigin).GetValue(func() string { return "http://" + addr })
+
 		conns = make(chan *websocket.Conn, 256)
 		go http.ListenAndServe(addr, http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-			if r.URL.Path == "/websocket" {
-				if conn, err := upgrader.Upgrade(w, r, nil); err == nil {
-					conns <- conn
-				} else {
-					newError("Browser dialer http upgrade unexpected error").AtError().WriteToLog()
-				}
-			} else {
-				w.Write(webpage)
-			}
+			if r.URL.Path != "/websocket" {
+                w.Write(webpage)
+                return
+            }
+
+            origin := r.Header.Get("origin")
+
+            if origin != allowedOrigin {
+                newError("Browser dialer unexpected origin: " + origin + " if this is the expected origin, set XRAY_BROWSER_DIALER_ORIGIN").AtError().WriteToLog()
+                return
+            }
+
+            conn, err := upgrader.Upgrade(w, r, nil)
+
+            if err != nil {
+                newError("Browser dialer http upgrade unexpected error").AtError().WriteToLog()
+                return
+            }
+
+            conns <- conn
 		}))
 	}
 }