Uploaded image for project: 'Apache Guacamole - Contributions'
  1. Apache Guacamole - Contributions
  2. GUAC-1515

WebSocket connection does not fallback to XHR



    • Type: Bug
    • Status: Done
    • Priority: Major
    • Resolution: Incomplete
    • Affects Version/s: 0.9.9
    • Fix Version/s: None
    • Component/s: guacamole-common-js
    • Labels:
    • Environment:
      Using the most recent Docker image:
      glyptodon/guacamole latest f0c9cc9564aa 24 hours ago 363.6 MB


      My installation of Guacamole is behind a web proxy that blocks websockets. Newer releases of the glyptodon/guacamole docker image do not work correctly in this situation. The error I get in the console is:
      WebSocket connection to 'ws://<site>/guacamole/websocket-tunnel?token=<token>&GUAC_DATA_SOURCE=mysql&GUAC_ID=1&GUAC_TYPE=c&GUAC_WIDTH=1650&GUAC_HEIGHT=446&GUAC_DPI=96&GUAC_AUDIO=audio%2FL8&GUAC_AUDIO=audio%2FL16&GUAC_IMAGE=image%2Fjpeg&GUAC_IMAGE=image%2Fpng&GUAC_IMAGE=image%2Fwebp' failed: WebSocket is closed before the connection is established.

      I've tried a work around, by having the proxy emit a Content-Security-Policy header that denies websockets. That also failed with this log:
      app.js?v=0.9.9:48 Refused to connect to 'ws://<site>/guacamole/websocket-tunnel?token=<token>&GUAC_DATA_SOURCE=mysql&GUAC_ID=1&GUAC_TYPE=c&GUAC_WIDTH=1650&GUAC_HEIGHT=446&GUAC_DPI=96&GUAC_AUDIO=audio%2FL8&GUAC_AUDIO=audio%2FL16&GUAC_IMAGE=image%2Fjpeg&GUAC_IMAGE=image%2Fpng&GUAC_IMAGE=image%2Fwebp' because it violates the following Content Security Policy directive: "default-src 'self'". Note that 'connect-src' was not explicitly set, so 'default-src' is used as a fallback.

      app.js?v=0.9.9:25 Error: Failed to construct 'WebSocket': Refused to connect to 'ws://<site>/guacamole/websocket-tunnel?token=<token>&GUAC_DATA_SOURCE=mysql&GUAC_ID=1&GUAC_TYPE=c&GUAC_WIDTH=1650&GUAC_HEIGHT=446&GUAC_DPI=96&GUAC_AUDIO=audio%2FL8&GUAC_AUDIO=audio%2FL16&GUAC_IMAGE=image%2Fjpeg&GUAC_IMAGE=image%2Fpng&GUAC_IMAGE=image%2Fwebp' because it violates the document's Content Security Policy.
      at Error (native)
      at connect (http://<site>/guacamole/app.js?v=0.9.9:48:55315)
      at b (http://<site>/guacamole/app.js?v=0.9.9:48:57019)
      at connect (http://<site>/guacamole/app.js?v=0.9.9:48:57085)
      at connect (http://<site>/guacamole/app.js?v=0.9.9:48:14273)
      at L (http://<site>/guacamole/app.js?v=0.9.9:76:41815)
      at http://<site>/guacamole/app.js?v=0.9.9:25:181564
      at C.$eval (http://<site>/guacamole/app.js?v=0.9.9:25:189209)
      at C.$digest (http://<site>/guacamole/app.js?v=0.9.9:25:187682)
      at C.$apply (http://<site>/guacamole/app.js?v=0.9.9:25:189491)

      app.js?v=0.9.9:48 Uncaught TypeError: Cannot read property 'close' of null

      This is the Content-Security-Policy that was used: default-src 'self'; script-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data:

      I have an older version of the docker container that does work for the first case (without the CSP header) by falling back to XHR after the websocket times-out.
      glyptodon/guacamole latest <none> 813f0fb5e14e 6 months ago 362.3 MB

      Is there a configuration parameter to disable websockets? Can Tunnel.js support downgrading to XHR if the Content-Security-Policy denies websockets or if the websocket connection fails?




            Unassigned Unassigned
            esev@google.com Eric Severance
            0 Vote for this issue
            2 Start watching this issue