Request: Allow any origin for websocket_bridge

[helo-xperi]

Hi.

I noticed that websocket_bridge in Perfetto uses AddAllowedOrigin() to restrict access to specific origins:

srv.AddAllowedOrigin("http://localhost:10000");
srv.AddAllowedOrigin("http://127.0.0.1:10000");
srv.AddAllowedOrigin("https://ui.perfetto.dev");

However, the origin of a HTTP request can be spoofed in multiple ways:

1. Non-browser clients: Tools like curl or custom scripts can send arbitrary Origin.
2. Browser-based spoofing: By manipulating DNS resolution in the client (e.g., pointing localhost or ui.perfetto.dev to another server) and for HTTPS origins disable certificate validation or use a self-signed certificate where the CA is trusted inside the browser.

What I think this means is that the origin check in websocket_bridge provides limited security guarantees for the system running websocket_bridge, even against browser-based attacks, since a malicious client can bypass it entirely by crafting the request as it sees fit. Unlike CORS headers that are intended to protect non-malicious clients by informing the client of any allowed origins - this seems to want to protect the host.

I have two questions:

1. What is the threat model that this access control avoids?
2. Request: Is it possible to change the behaviour of websocket_bridge to allow any HTTP origin by default?

The reason for this request is to allow a Perfetto UI instances hosted inside a corporate network to connect to websocket_bridge without modifying the source code.

[primiano]

The two spoof scenarios you listed are not the concern.

The real concern is that you visit a random malicious website, and that website tries connects to the websocket bridge and takes over of the device connected.

If you assume localhost access (e.g. a non-browser) there is no need to use websocket bridge, just talk directly to ADB on localhost:5037. websocket_bridge will not give you any gain if you can run malicious/untrusted code on localhost.

So the deal is "we trust ui.perfetto.dev (and localhost for development) but we cannot trust the whole internet"

Request: Is it possible to change the behaviour of websocket_bridge to allow any HTTP origin by default?

No absolutely not. that's a big security risk. a random website on the internet could run arbitrary commands on your android device and install malware on it.

If you want you can send a CL that takes an optional argument --http-additional-cors-origins similar to what traceprocessor does.

[helo-xperi]

there is no need to use websocket bridge, just talk directly to ADB

I'm sorry for not providing proper context on our use case. We are tracing remote Linux based devices using Perfetto.

random website on the internet could run arbitrary commands on your android device and install malware on it.

Thanks for highlighting the attack vector here. That makes sense to avoid.

I think --http-additional-cors-origins is a good idea, though I'd like to perhaps make an addition to that. Would a CL that also adds a GN arg for injecting such origins as default inside the binary be accepted? If we compile our websocket_bridge with said argument set our users can then follow the instructions for tracing in the WebUI.

[LalitMaganti]

I think --http-additional-cors-origins is a good idea, though I'd like to perhaps make an addition to that. Would a CL that also adds a GN arg for injecting such origins as default inside the binary be accepted? If we compile our websocket_bridge with said argument set our users can then follow the instructions for tracing in the WebUI.

I think it would be a good addition. Though I would ask you also modify trace processor to respect this arg as well if you send the CL.