Websocket Origin HTTP Request Header Not Validated #2859
Description
Describe the bug
When Chainlit establishes websocket comms, it does not verify the Origin request header. This means it is vulnerable to Cross-Site Websocket Hijacking. I have PoC'd this and can successfully establish websockets from an arbitrary domain without requiring credentials, but my interaction with the websocket was limited to ping messages, due to the absence of any cookies (i.e. Samesite=Lax prevents full hijacking) so I see this as being a potential resource exhaustion problem if many sockets are opened, rather than a full hijack.