ExpectOrigin as a cmdline option

[sebstyle]

Imho ExpectOrigin should not be an authentication method but an option one can pass on the command line.

It adds another obstacle for a malicious user to overcome but should not be relied upon for authentication because Origin can be spoofed.

[CendioOssman]

websockify is more of a testing tool than a production ready system, so any authentication should be taken with some caution.

I don't think we should remove this, but we could put some comment on it about risks.

[therontarigo]

Origin can be spoofed by a malicious program, but not by a webpage. This distinction is relevant to mitigating the following scenario:

• The websockify server lives behind a firewall; it is not publicly accessible.
• The user password for the service behind websockify (e.g. novnc) is compromised by an attacker.
• The user of a computer on the private LAN opens a webpage controlled by the attacker. Now the attacker's page can connect to the websockified service if Origin has not been checked, and will authenticate.

The risks of operating websockify on a LAN without ExpectOrigin should not be understated.
Obviously unsandboxed malware on the LAN can spoof Origin regardless, but this requires a browser exploit in the scenario described.