[Libwebsockets] http 403

Kun Zhao kzhdev at gmail.com
Fri Mar 22 00:18:19 CET 2019


Is there a way to tell lws not to send origin?

On Thu, Mar 21, 2019 at 4:12 PM Andy Green <andy at warmcat.com> wrote:

>
>
> On 22/03/2019 05:06, Kun Zhao wrote:
>
> > But why curl works? There must be something different in the headers
> > libwebsockets sent out.
>
>   - Curl doesn't send origin as you can see from your logs.
>
>   - The minimal example asks lws to send origin by default because
> that's what other servers demand to see.
>
>   - the server in this case has a policy to 403 anyone that either sends
> origin that isn't exactly what it wants or who sends any origin header
> (which is a perfectly valid thing to send in http).
>
> -Andy
>
> > On Thu, Mar 21, 2019 at 3:52 PM Andy Green <andy at warmcat.com
> > <mailto:andy at warmcat.com>> wrote:
> >
> >
> >
> >     On 22/03/2019 01:59, Kun Zhao wrote:
> >      > Hi Andy,
> >      >
> >      > I'm trying to get a JSON from
> >     https://www.bitmex.com/api/v1/instrument
> >      > REST API. I tried my own libwebsockets app and
> >      > libwebsockets_test_client, both of them are failed with 403.
> >     However, I
> >      > can use curl to get the JSON without any problems. How do I
> >     figure out
> >      > what is wrong with libwebsockets?
> >
> >     Something "wrong with libwebsockets", eh.
> >
> >      > Attached are the detailed log of curl and
> libwebsockets_test_client.
> >      > Hopefully, that will give you more information.
> >
> >     I did this to the minimal http client (and gave it --h1)
> >
> >     diff --git
> >
>  a/minimal-examples/http-client/minimal-http-client/minimal-http-client.c
> >
> >
>  b/minimal-examples/http-client/minimal-http-client/minimal-http-client.c
> >     index d8ce24212..202eb3264 100644
> >     ---
> >
>  a/minimal-examples/http-client/minimal-http-client/minimal-http-client.c
> >     +++
> >
>  b/minimal-examples/http-client/minimal-http-client/minimal-http-client.c
> >     @@ -155,7 +155,7 @@ int main(int argc, const char **argv)
> >                       i.ssl_connection |= LCCSCF_ALLOW_SELFSIGNED;
> >               } else {
> >                       i.port = 443;
> >     -               i.address = "warmcat.com <http://warmcat.com>";
> >     +               i.address = "www.bitmex.com <http://www.bitmex.com
> >";
> >               }
> >
> >               if (lws_cmdline_option(argc, argv, "--h1"))
> >     @@ -164,9 +164,9 @@ int main(int argc, const char **argv)
> >               if ((p = lws_cmdline_option(argc, argv, "-p")))
> >                       i.port = atoi(p);
> >
> >     -       i.path = "/";
> >     +       i.path = "/api/v1/instrument/active";
> >               i.host = i.address;
> >     -       i.origin = i.address;
> >     +//     i.origin = i.address;
> >               i.method = "GET";
> >
> >               i.protocol = protocols[0].name;
> >
> >     I tried a few thiongs for origin but it seems that server just
> rejects
> >     any request with origin header.
> >
> >     https://tools.ietf.org/html/rfc6454#section-7
> >
> >     Other servers require it... anyway there's nothing "wrong with
> >     libwebsockets", your request must comply with whatever policy the
> >     server
> >     has decided to implement.  In this case, apparently, "don't send me
> >     origin or you will get a 403".
> >
> >     -Andy
> >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://libwebsockets.org/pipermail/libwebsockets/attachments/20190321/d9e7a69a/attachment-0001.html>


More information about the Libwebsockets mailing list