From c16a2c2c8062db607d2f8c03004aaa4dc2aabc9d Mon Sep 17 00:00:00 2001
From: Tulir Asokan <tulir@maunium.net>
Date: Tue, 15 Oct 2024 00:14:55 +0300
Subject: [PATCH] server: remove header validation for websockets

---
 server.go    | 2 +-
 websocket.go | 4 ----
 2 files changed, 1 insertion(+), 5 deletions(-)

diff --git a/server.go b/server.go
index d9f6c1a..b98d866 100644
--- a/server.go
+++ b/server.go
@@ -162,7 +162,7 @@ func isUserFetch(header http.Header) bool {
 
 func (gmx *Gomuks) AuthMiddleware(next http.Handler) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		if r.Header.Get("Sec-Fetch-Site") != "same-origin" && !isUserFetch(r.Header) {
+		if r.Header.Get("Sec-WebSocket-Key") == "" && r.Header.Get("Sec-Fetch-Site") != "same-origin" && !isUserFetch(r.Header) {
 			ErrInvalidHeader.WithMessage("Invalid Sec-Fetch-Site header").Write(w)
 			return
 		}
diff --git a/websocket.go b/websocket.go
index 92886cf..48eac6f 100644
--- a/websocket.go
+++ b/websocket.go
@@ -54,10 +54,6 @@ const (
 var emptyObject = json.RawMessage("{}")
 
 func (gmx *Gomuks) HandleWebsocket(w http.ResponseWriter, r *http.Request) {
-	if r.Header.Get("Sec-Fetch-Mode") != "websocket" {
-		ErrInvalidHeader.WithMessage("Invalid Sec-Fetch-Dest header").Write(w)
-		return
-	}
 	var conn *websocket.Conn
 	log := zerolog.Ctx(r.Context())
 	recoverPanic := func(context string) bool {