I deployed to production a brand new Phoenix (1.7.0-rc.2) project with the generated LiveView authentication from mix phx.gen.auth. The websocket connections could never be established until I added check_origin: ["//localhost", "//subdomain.example.com"] to my App.Endpoint configuration in config/prod.exs. Before, I kept getting HTTP 403 errors for those websocket connections. Everything worked fine for development as the origin isn’t, as expected, checked.
Is setting check_origin a must for websocket connections to even work? I don’t really understand the documentation on check_origin for Phoenix.Endpoint.socket/3. I would assume my setup is nothing out of ordinary, beside maybe having a subdomain is not so common.
Hopefully someone knows what’s the deal here. Thank you!
I just ran into this very issue a few moments ago, searched for reading and found this topic.
I understand why the config is important. One thing worth noting though it’s not directly related to the original question is that check_origin can be set in runtime.exs. In one of my use case scenarios, I won’t know on what host the application may be running, so having a non-compile time way to use this configuration point is important.
I see that check_origin can be set false and no checking is then done… I just tested and works great! But you end up with the security vulnerability described. I don’t understand (and haven’t yet researched) the statement in the documentation:
If true, the header is checked against :host in YourAppWeb.Endpoint.config(:url)[:host].
But at least it looks like there are avenues to getting a sane value in place after compile time.
