In certain environments, like NodeJS, the built-in WebSocket facilities do not allow developers to specify an Origin header. Since the current Server Management Protocol implementation rejects all WebSocket connections without an Origin header, this makes it impossible to use these language built-ins to connect.
Checking the Origin header is certainly a useful security feature for preventing untrusted websites from detecting and manipulating the websocket connection, but browsers always automatically append the Origin header. As such, it should be safe to accept requests with a missing Origin header since a website cannot make a websocket request without one.
Steps to reproduce the issue:
Set up a Minecraft server with an enabled and configured Minecraft Server Management Protocol in server.properties (TLS doesnβt matter here).
Run the following code in NodeJS (with a correct Websocket URL and Server Management Protocol Secret) :
const socket = new WebSocket("ws://WEBSOCKET_URL_HERE", ["minecraft-v1", "YOUR_ALPHANUMERIC_SECRET_KEY_HERE"]) socket.addEventListener("open", () => { socket.send('{"jsonrpc":"2.0","method":"minecraft:server/status","id":1}'); }) socket.addEventListener("message", () => { console.log(message.data); })
Expected Result:
Iβd expect to see the current server status logged from the response message.
Actual Result:
The authentication fails, causing the socket to close.
Suggested Resolution:
Allow requests with a missing Origin header or add a property to disable the Origin header check for localhost IPs.
Justifying Situation:
Developing a facade application to collect server events and expose them to a public web client. Since the Minecraft Server Management Protocol does not currently have any form of scoping, it cannot be exposed directly to the frontend in most cases without risk of server griefing. At the same time, showing server stats, current players, and live join/leave information publicly is desirable for some servers, hence the middle-layer to hide sensitive controls/info while showing less sensitive data.
Thank you for your time and consideration!
Environment
Vanilla 1.21.11 server.jar, NodeJS v22.
Hi!
Thank you for your report!
After consideration, the issue is being closed as Invalid.
You have posted a feature request or a suggestion. This site is for bug reports only.
For suggestions, please visit https://feedback.minecraft.net
Quick Links:Β
πβ―Issue Guidelinesβ―β π¬β―Mojang Supportβ―β π§β―Suggestionsβ―β πβ―Minecraft Wiki