Spring OriginHandshakeInterceptor same origin check always fails

Affects: 5.1.4+

OriginHandshakeInterceptor is always registered for a websocket:message-broker. This interceptor checks all handshakes whether their origin is same as the websocket origin, or if it's in a list of allowed origins. The problem is that same origin always fails when loading websocket, since the origin from a webpage has an http/https scheme, while the websocket has ws/wss scheme. Best practices encourage checking scheme for same origin, but this is a possible exception.

I think a fix would be having WebUtils do special check to explicitly allow this type of request

ObjectUtils.nullSafeEquals(scheme, originUrl.getScheme() || 
  "ws".equals(scheme) && "http".equals(originUrl.getScheme() || 
  "wss".equals(scheme) && "https".equals(origin.getScheme)

Comment From: ghost

OK, apparently i was wrong about the protocol. Sorry