Update changelog with origin check

code-asher · code-asher · commit 9aaf749e9bce · 2023-03-02T18:37:04.000-09:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -20,6 +20,17 @@ Code v99.99.999
 
 -->
 
+## Unreleased
+
+Code v1.75.1
+
+### Security
+
+Add an origin check to web sockets to prevent a cross-site hijacking attack that
+affects those who use older or niche browsers that do not support SameSite
+cookies and those who access code-server under a shared domain with other users
+on separate sub-domains.
+
 ## [4.10.0](https://github.com/coder/code-server/releases/tag/v4.10.0) - 2023-02-15
 
 Code v1.75.1
diff --git a/test/unit/node/routes/health.test.ts b/test/unit/node/routes/health.test.ts
@@ -21,8 +21,7 @@ describe("health", () => {
 
   it("/healthz (websocket)", async () => {
     codeServer = await integration.setup(["--auth=none"], "")
-    const ws = await codeServer.ws("/healthz")
-    ws.send(JSON.stringify({ event: "health" }))
+    const ws = codeServer.ws("/healthz")
     const message = await new Promise((resolve, reject) => {
       ws.on("error", (err) => {
         console.error("[healthz]", err)
@@ -35,6 +34,7 @@ describe("health", () => {
           reject(error)
         }
       })
+      ws.on("open", () => ws.send(JSON.stringify({ event: "health" })))
     })
     ws.terminate()
     expect(message).toStrictEqual({ event: "health", status: "expired", lastHeartbeat: 0 })
