From 2691a1aa0ed336a775390060d9132c5e2163c965 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Sun, 26 Apr 2026 15:01:48 +0000 Subject: [PATCH] feat: use path-based browser dialer csrf endpoint Agent-Logs-Url: https://github.com/XTLS/Xray-core/sessions/b6b47cc0-5a64-49d5-9447-22c9c202c95d Co-authored-by: RPRX <63339210+RPRX@users.noreply.github.com> --- transport/internet/browser_dialer/dialer.go | 21 ++++++++++--------- transport/internet/browser_dialer/dialer.html | 2 +- 2 files changed, 12 insertions(+), 11 deletions(-) diff --git a/transport/internet/browser_dialer/dialer.go b/transport/internet/browser_dialer/dialer.go index 68345a5e..45e13d55 100644 --- a/transport/internet/browser_dialer/dialer.go +++ b/transport/internet/browser_dialer/dialer.go @@ -61,23 +61,24 @@ func newDialerInstance(addr string) *dialerInstance { token := uuid.New() csrfToken := token.String() page := bytes.ReplaceAll(webpage, []byte("csrfToken"), []byte(csrfToken)) + wsPath := "/websocket/" + csrfToken dialer := &dialerInstance{ conns: make(chan *websocket.Conn, 256), } dialer.server = &http.Server{ Addr: addr, Handler: http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { - if r.URL.Path == "/websocket" { - if r.URL.Query().Get("token") == csrfToken { - if conn, err := upgrader.Upgrade(w, r, nil); err == nil { - dialer.conns <- conn - } else { - errors.LogError(context.Background(), "Browser dialer http upgrade unexpected error") - } + if r.URL.Path == wsPath { + if conn, err := upgrader.Upgrade(w, r, nil); err == nil { + dialer.conns <- conn + } else { + errors.LogError(context.Background(), "Browser dialer http upgrade unexpected error: ", err) } - } else { - w.Header().Set("Access-Control-Allow-Origin", "*") - w.Write(page) + return + } + w.Header().Set("Access-Control-Allow-Origin", "*") + if _, err := w.Write(page); err != nil { + errors.LogError(context.Background(), "Browser dialer http page write unexpected error: ", err) } }), } diff --git a/transport/internet/browser_dialer/dialer.html b/transport/internet/browser_dialer/dialer.html index 5a0df489..255f9ed4 100644 --- a/transport/internet/browser_dialer/dialer.html +++ b/transport/internet/browser_dialer/dialer.html @@ -10,7 +10,7 @@ // Enable a much more aggressive JIT for performance gains // Copyright (c) 2021 XRAY. Mozilla Public License 2.0. - let url = "ws://" + window.location.host + "/websocket?token=csrfToken"; + let url = "ws://" + window.location.host + "/websocket/csrfToken"; let clientIdleCount = 0; let upstreamGetCount = 0; let upstreamWsCount = 0;