Important

You are browsing documentation for version 5.1 of OroCommerce, supported until March 2026. Read the documentation for version 6.0 (the latest LTS version) to get up-to-date information.

See our Release Process documentation for more information on the currently supported and upcoming releases.

Origin Checking

When a connection with the WebSocket server is established, it checks the Origin header to ensure that it contains a domain that is on the list of allowed origins to eliminate Cross-Site WebSocket Hijacking (CSWSH) attacks. The WebSocket server will reject connections with not allowed origins.

The list of allowed origins is not directly configurable via the UI. By default, it contains the host specified in System Configuration > General Setup > Application Settings > URL > Application URL.

How to Customize

To add custom origins, create a provider that implements Oro\Bundle\SyncBundle\Authentication\Origin\OriginProviderInterface and declare it as a service with tag oro_sync.origin_provider, e.g.

oro_sync.authentication.application_origin_provider:
    class: Oro\Bundle\SyncBundle\Authentication\Origin\ApplicationOriginProvider
    arguments:
        - '@oro_config.global'
        - '@oro_sync.authentication.origin_extractor'
    tags:
        - { name: oro_sync.origin_provider }

Backend Websocket Client

As origin checking is not required when connecting from the backend, WebSocket client oro_sync.websocket_client always connects with the origin set to 127.0.0.1.

Note

Origins localhost and 127.0.0.1 are automatically added as allowed origins.