You are browsing documentation for version 5.0 of OroCommerce, OroCRM, and OroPlatform, maintained until August 2024 and supported until March 2026. See version 5.1 (the latest LTS version) of the Oro documentation for information on latest features.

See our Release Process documentation for more information on the currently supported and upcoming releases.

Origin Checking

When a connection with the WebSocket server is established, it checks the Origin header to ensure that it contains a domain that is on the list of allowed origins to eliminate Cross-Site WebSocket Hijacking (CSWSH) attacks. The WebSocket server will reject connections with not allowed origins.

The list of allowed origins is not directly configurable via the UI. By default, it contains the host specified in System Configuration > General Setup > Application Settings > URL > Application URL.

How to Customize

To add custom origins, create a provider that implements Oro\Bundle\SyncBundle\Authentication\Origin\OriginProviderInterface and declare it as a service with tag oro_sync.origin_provider, e.g.

    class: Oro\Bundle\SyncBundle\Authentication\Origin\ApplicationOriginProvider
        - ''
        - '@oro_sync.authentication.origin_extractor'
        - { name: oro_sync.origin_provider }

Backend Websocket Client

As origin checking is not required when connecting from the backend, WebSocket client oro_sync.websocket_client always connects with the origin set to


Origins localhost and are automatically added as allowed origins.