Claude Bot ca6b28b2ac fix(websocket): validate Sec-WebSocket-Accept header per RFC 6455 ...

The WebSocket upgrade client checked that the Sec-WebSocket-Accept
header was present but never validated its value against the expected
SHA-1 hash of the client's Sec-WebSocket-Key concatenated with the
RFC 6455 magic GUID. This allowed a MitM attacker to fake a WebSocket
handshake with any arbitrary accept value.

Store the expected accept value (computed during request construction)
on the client struct and validate it against the server's response
during the upgrade handshake.

Co-Authored-By: Claude <noreply@anthropic.com>

2026-02-12 04:49:38 +00:00

..

bun

fix(kqueue): fix incorrect filter comparison causing excessive CPU on macOS (#26812)

2026-02-09 00:52:17 -08:00

deno

Deflake a test

2024-12-12 02:07:29 -08:00

first_party

feat(websocket): add HTTP/HTTPS proxy support (#25614)

2026-01-08 16:21:34 -08:00

junit-reporter

feat(test): add --retry flag and emit separate testcase entries for retries in JUnit XML (#26866)

2026-02-10 10:58:21 -08:00

node

fix(crypto): correct method and constructor names mangled by number renamer (#26876)

2026-02-10 23:06:22 -08:00

sql

refactor(test): use container-based postgres_tls for TLS SQL tests (#26518)

2026-01-27 23:32:39 -08:00

third_party

@types/bun: Update to @types/node@25, fallback to PropertyKey in test expect matchers when keyof unknown is used (#25460)

2025-12-10 18:15:55 -08:00

valkey

fix(test): update valkey test snapshots for Redis 8 error message format (#26878)

2026-02-10 16:30:55 -08:00

web

fix(websocket): validate Sec-WebSocket-Accept header per RFC 6455

2026-02-12 04:49:38 +00:00

workerd

Handle rejected promises in EventLoop.autoTick (#17346)

2025-02-14 17:49:30 -08:00