Origin check should not only be a check against the host

[timofurrer]

The package supports to automatically perform an Origin header check via OriginPatterns. However, these origin patterns are only checked against the Origin header Host component (see

websocket/accept.go

Line 244 in efb626b

matched, err := match(hostPattern, u.Host)

).

I believe that this is incorrect and the entire Origin header should be checked against a set of allowed once - that is, including the schema and port.

[sc0Vu]

@timofurrer It seems Host contains host and port https://pkg.go.dev/net/url#URL, but I think they may miss schema here. Based on this spec https://datatracker.ietf.org/doc/html/rfc6454#section-3.2, the schema is required.

[mafredri]

Thanks for raising this issue @timofurrer.

I believe the best way to amend this would be to detect the presence of URI scheme (://) in the OriginPattern and if present, include it in the comparison. That way, we can allow more specificity without a breaking change. Thoughts?

As @sc0Vu mentioned, the port is already included so we only need to add the scheme.

[mafredri]

@timofurrer @sc0Vu I've implemented a fix in #536, although for backwards compatibility, there still exists one small gotcha: If the request host matches the origin host exactly, we always allow it.

We could change the behavior such that this only applies if no OriginPatterns have been defined, but that's a breaking change. So my question is, does #536 seem sufficient to close this issue?