feat: use path-based browser dialer csrf endpoint

Agent-Logs-Url: https://github.com/XTLS/Xray-core/sessions/b6b47cc0-5a64-49d5-9447-22c9c202c95d

Co-authored-by: RPRX <63339210+RPRX@users.noreply.github.com>

transport/internet/browser_dialer/dialer.go

@@ -61,23 +61,24 @@ func newDialerInstance(addr string) *dialerInstance {
 	token := uuid.New()
 	csrfToken := token.String()
 	page := bytes.ReplaceAll(webpage, []byte("csrfToken"), []byte(csrfToken))
+	wsPath := "/websocket/" + csrfToken
 	dialer := &dialerInstance{
 		conns: make(chan *websocket.Conn, 256),
 	}
 	dialer.server = &http.Server{
 		Addr: addr,
 		Handler: http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-			if r.URL.Path == "/websocket" {
-				if r.URL.Query().Get("token") == csrfToken {
-					if conn, err := upgrader.Upgrade(w, r, nil); err == nil {
-						dialer.conns <- conn
-					} else {
-						errors.LogError(context.Background(), "Browser dialer http upgrade unexpected error")
-					}
+			if r.URL.Path == wsPath {
+				if conn, err := upgrader.Upgrade(w, r, nil); err == nil {
+					dialer.conns <- conn
+				} else {
+					errors.LogError(context.Background(), "Browser dialer http upgrade unexpected error: ", err)
 				}
-			} else {
-				w.Header().Set("Access-Control-Allow-Origin", "*")
-				w.Write(page)
+				return
+			}
+			w.Header().Set("Access-Control-Allow-Origin", "*")
+			if _, err := w.Write(page); err != nil {
+				errors.LogError(context.Background(), "Browser dialer http page write unexpected error: ", err)
 			}
 		}),
 	}

transport/internet/browser_dialer/dialer.html

@@ -10,7 +10,7 @@
 		// Enable a much more aggressive JIT for performance gains
 
 		// Copyright (c) 2021 XRAY. Mozilla Public License 2.0.
-		let url = "ws://" + window.location.host + "/websocket?token=csrfToken";
+		let url = "ws://" + window.location.host + "/websocket/csrfToken";
 		let clientIdleCount = 0;
 		let upstreamGetCount = 0;
 		let upstreamWsCount = 0;