Server websocket implementation should allow, ignore other subprotocols (#1112)

niloc132 · johanbrandhorst · web-flow · commit 230601cd7d59 · 2022-07-15T20:15:58.000-04:00
* Server websocket implementation should allow, ignore other subprotocols Correctly reads all Sec-Websocket-Protocol headers and reads all values in those headers, and only succeeds if the expected subprotcol value of "grpc-websockets" is present. This implementation roughly mirrors what the nhooyr.io/websocket Accept() method does, with a few simplifications. Fixes #1111 * Manually update docs, correct indentation * Review feedback Canonicalize the header key before read, normalizing the possible values. Co-authored-by: Johan Brandhorst-Satzkorn <johan.brandhorst@gmail.com> Co-authored-by: Johan Brandhorst-Satzkorn <johan.brandhorst@gmail.com>
diff --git a/go/grpcweb/DOC.md b/go/grpcweb/DOC.md
@@ -286,7 +286,7 @@ the "content-type" is "application/grpc-web" and that the method is POST.
 func (w *WrappedGrpcServer) IsGrpcWebSocketRequest(req *http.Request) bool
 ```
 IsGrpcWebSocketRequest determines if a request is a gRPC-Web request by checking
-that the "Sec-Websocket-Protocol" header value is "grpc-websockets"
+that the "Sec-Websocket-Protocol" header value contains "grpc-websockets"
 
 #### func (*WrappedGrpcServer) ServeHTTP
 
diff --git a/go/grpcweb/wrapper.go b/go/grpcweb/wrapper.go
@@ -133,9 +133,21 @@ func (w *WrappedGrpcServer) ServeHTTP(resp http.ResponseWriter, req *http.Reques
 }
 
 // IsGrpcWebSocketRequest determines if a request is a gRPC-Web request by checking that the "Sec-Websocket-Protocol"
-// header value is "grpc-websockets"
+// header value contains "grpc-websockets"
 func (w *WrappedGrpcServer) IsGrpcWebSocketRequest(req *http.Request) bool {
-	return strings.ToLower(req.Header.Get("Upgrade")) == "websocket" && strings.ToLower(req.Header.Get("Sec-Websocket-Protocol")) == "grpc-websockets"
+	if strings.ToLower(req.Header.Get("Upgrade")) != "websocket" {
+		return false
+	}
+
+	for _, subproto := range req.Header.Values("Sec-Websocket-Protocol") {
+		for _, token := range strings.Split(subproto, ",") {
+			token = strings.TrimSpace(token)
+			if strings.EqualFold(token, "grpc-websockets") {
+				return true
+			}
+		}
+	}
+	return false
 }
 
 // HandleGrpcWebRequest takes a HTTP request that is assumed to be a gRPC-Web request and wraps it with a compatibility
