3 Commits

Author SHA1 Message Date
Scott Lamb
fd7438dd28 ignore port number in ws origin check
Fixes #219
2022-04-13 21:49:18 -07:00
Scott Lamb
4c9aa93fdf check WebSocket origin
This fixes a real cross-site WebSocket hijacking (CSWSH) vulnerability.
If the attacker knows the URL of an NVR installation this user is
authenticated to and the UUID of a camera, and can trick the user into
visiting their webpage, they can grab the live stream. At least there's
some entropy in the camera UUID, but it was never intended to be a
secret.
2022-03-22 14:51:12 -07:00
Scott Lamb
87f9736d80 separate live view into its own file 2021-10-28 13:07:39 -07:00