Restrict daemon HTTP requests to extension origins

app/src/daemon.ts

@@ -71,34 +71,40 @@ export function init(port: number, serverPassword?: string) {
     }
 
     server.on("upgrade", (req, socket, head) => {
+        /**
+         * Only accept authenticated WebSocket requests from extension
+         * origins.
+         */
         if (
-            // Only accept WebSocket requests from extension origins
+            req.headers.origin?.startsWith("moz-extension://") &&
-            !req.headers.origin?.startsWith("moz-extension://") ||
+            authenticate(req)
-            !authenticate(req)
         ) {
-            socket.write("HTTP/1.1 401 Unauthorized\r\n\r\n");
+            wss.handleUpgrade(req, socket, head, ws => {
-            socket.destroy();
+                wss.emit("connection", ws, req);
+            });
+
             return;
         }
 
-        wss.handleUpgrade(req, socket, head, ws => {
+        socket.write("HTTP/1.1 401 Unauthorized\r\n\r\n");
-            wss.emit("connection", ws, req);
+        socket.destroy();
-        });
     });
 
     /**
-     * JS WebSocket API does not allow access to connection errors, so
+     * Browser WebSocket API does not allow access to connection errors,
-     * provide an endpoint for feedback on invalid authentication.
+     * so provide an endpoint for feedback on invalid authentication.
      */
     server.on("request", (req, res) => {
-        if (!authenticate(req)) {
+        /**
-            res.writeHead(401);
+         * Requests from extensions have their origin header stripped,
-            res.end();
+         * so block all requests with origin headers.
-
+         */
+        if ("origin" in req.headers) {
+            req.destroy();
             return;
         }
 
-        res.writeHead(200);
+        res.writeHead(authenticate(req) ? 200 : 401);
         res.end();
     });