1 files changed, 29 insertions, 0 deletions

diff --git a/chromium/content/browser/devtools/devtools_http_handler.cc b/chromium/content/browser/devtools/devtools_http_handler.cc
index 78e4d0a6b13..6da55042282 100644
--- a/chromium/content/browser/devtools/devtools_http_handler.cc
+++ b/chromium/content/browser/devtools/devtools_http_handler.cc
@@ -10,6 +10,7 @@
 #include <utility>
 
 #include "base/bind.h"
+#include "base/command_line.h"
 #include "base/compiler_specific.h"
 #include "base/files/file_util.h"
 #include "base/guid.h"
@@ -38,6 +39,7 @@
 #include "content/public/browser/devtools_manager_delegate.h"
 #include "content/public/browser/devtools_socket_factory.h"
 #include "content/public/common/content_client.h"
+#include "content/public/common/content_switches.h"
 #include "content/public/common/url_constants.h"
 #include "content/public/common/user_agent.h"
 #include "net/base/io_buffer.h"
@@ -752,6 +754,13 @@ void DevToolsHttpHandler::OnWebSocketRequest(
   if (!thread_)
     return;
 
+  if (request.headers.count("origin") &&
+      !remote_allow_origins_.count(request.headers.at("origin")) &&
+      !remote_allow_origins_.count("*")) {
+    Send403(connection_id);
+    return;
+  }
+
   if (base::StartsWith(request.path, browser_guid_,
                        base::CompareCase::SENSITIVE)) {
     scoped_refptr<DevToolsAgentHost> browser_agent =
@@ -823,6 +832,14 @@ DevToolsHttpHandler::DevToolsHttpHandler(
                        output_directory, debug_frontend_dir, browser_guid_,
                        delegate_->HasBundledFrontendResources()));
   }
+  std::string remote_allow_origins = base::ToLowerASCII(
+      base::CommandLine::ForCurrentProcess()->GetSwitchValueASCII(
+          switches::kRemoteAllowOrigins));
+
+  auto origins =
+      base::SplitString(remote_allow_origins, ",", base::TRIM_WHITESPACE,
+                        base::SPLIT_WANT_NONEMPTY);
+  remote_allow_origins_.insert(origins.begin(), origins.end());
 }
 
 void DevToolsHttpHandler::ServerStarted(
@@ -882,6 +899,18 @@ void DevToolsHttpHandler::Send404(int connection_id) {
                      base::Unretained(server_wrapper_.get()), connection_id));
 }
 
+void DevToolsHttpHandler::Send403(int connection_id) {
+  if (!thread_) {
+    return;
+  }
+  net::HttpServerResponseInfo response(net::HTTP_FORBIDDEN);
+  response.SetBody(std::string(), "text/html");
+  thread_->task_runner()->PostTask(
+      FROM_HERE, base::BindOnce(&ServerWrapper::SendResponse,
+                                base::Unretained(server_wrapper_.get()),
+                                connection_id, response));
+}
+
 void DevToolsHttpHandler::Send500(int connection_id,
                                   const std::string& message) {
   if (!thread_)