Skip to content

[release/8.0-staging] Deny unmasked frame receive for WebSocket Server#123662

Open
liveans wants to merge 1 commit intodotnet:release/8.0-stagingfrom
liveans:deny_unmasked_frame_receive_websocket_server_release_8
Open

[release/8.0-staging] Deny unmasked frame receive for WebSocket Server#123662
liveans wants to merge 1 commit intodotnet:release/8.0-stagingfrom
liveans:deny_unmasked_frame_receive_websocket_server_release_8

Conversation

@liveans
Copy link
Member

@liveans liveans commented Jan 27, 2026
edited by karelz
Loading

Backport of #123485 to release/8.0-staging

Increasing RFC compliance for WebSocket

Customer Impact

RFC compliance

Regression

No

Testing

Manual verification + automated tests

Risk

Low, the change only affects non‑compliant WebSocket clients sending unmasked frames, which is explicitly disallowed by RFC 6455. No behavior change is expected for compliant clients.

Copilot AI review requested due to automatic review settings January 27, 2026 10:30
@liveans liveans changed the title [release/9.0-staging] Deny unmasked frame receive for WebSocket Server #123661 [release/8.0-staging] Deny unmasked frame receive for WebSocket Server #123661 Jan 27, 2026
@dotnet-policy-service
Copy link
Contributor

dotnet-policy-service bot commented Jan 27, 2026

Tagging subscribers to this area: @karelz, @dotnet/ncl
See info in area-owners.md if you want to be subscribed.

Copilot AI reviewed Jan 27, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR backports WebSocket RFC 6455 compliance improvements from #123485 to the release/9.0-staging branch. It adds server-side validation to reject unmasked frames from clients, which is required by the WebSocket protocol specification.

Changes:

  • Added validation logic to deny unmasked frames received by WebSocket servers
  • Added corresponding error message resource string
  • Added unit test to verify the new validation behavior

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated no comments.

File Description
src/libraries/System.Net.WebSockets/src/System/Net/WebSockets/ManagedWebSocket.cs Adds validation to reject unmasked frames when operating as a server, following RFC 6455 requirements
src/libraries/System.Net.WebSockets/src/Resources/Strings.resx Adds error message resource for the unmasked frame validation error
src/libraries/System.Net.WebSockets/tests/WebSocketTests.cs Adds test case to verify servers reject unmasked frames and enter Aborted state with appropriate error message

@liveans liveans changed the title [release/8.0-staging] Deny unmasked frame receive for WebSocket Server #123661 [release/8.0-staging] Deny unmasked frame receive for WebSocket Server Jan 27, 2026
This was referenced Jan 27, 2026
Open
Open
Open
Open
Open
@karelz karelz added the Servicing-consider Issue for next servicing release review label Feb 3, 2026
@karelz karelz added this to the 8.0.x milestone Feb 3, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@karelz karelz karelz approved these changes

@MihaZupan MihaZupan MihaZupan approved these changes

Assignees

@liveans liveans

Labels

area-System.Net Servicing-consider Issue for next servicing release review

Projects

None yet

Milestone

8.0.x

Development

Successfully merging this pull request may close these issues.

3 participants

@liveans @karelz @MihaZupan