Web pages cannot change the Origin header, but extensions can modify the request headers via the chrome.webRequestAPI. But ws://and wss://are not supportedby this API, so this doesn't help unless the server also supports other means of communication via http(s) (e.g. long-polling).

网页无法更改 Origin 标头，但扩展程序可以通过chrome.webRequestAPI修改请求标头。但是ws://并且wss://不受此 API支持，因此除非服务器还支持通过 http(s) 的其他通信方式（例如长轮询），否则这无济于事。

There is still a solution though: Simply load a (known) web page at the desired origin in an iframe (e.g. https://example.com/favicon.icoor https://example.com/robots.txt) and use a content scriptto open the WebSocket from there.

不过仍然有一个解决方案：只需在 iframe（例如https://example.com/favicon.ico或https://example.com/robots.txt）中的所需来源加载（已知）网页，然后使用内容脚本从那里打开 WebSocket。

The Originheader is one of the headers that are set automatically by the user agent (as part of the browser implementation), and cannot be altered programatically or through extensions. This makes sense because web service providers cannot allow random connections from localhosts.

该Origin头是由用户代理（如浏览器实现的一部分）自动设置的集流管中的一个，并且不能被编程或通过扩展改变。这是有道理的，因为 Web 服务提供商不能允许来自本地主机的随机连接。

You can connect to an external WebSocket only if you do it from a host explicitly accepted by the web service provider. Many headers cannot be trusted (because they can be overridden), but this is not the case with Originas it offers security not only for users, but also for service providers against unwanted connections.

仅当您从 Web 服务提供商明确接受的主机执行此操作时，您才能连接到外部 WebSocket。许多标头是不可信的（因为它们可以被覆盖），但情况并非如此，Origin因为它不仅为用户提供了安全性，还为服务提供商提供了防止不需要的连接的安全性。

As far as I know this will not be possible, it would break the security guards against CSRF in Chrome.

据我所知这是不可能的，它会破坏 Chrome 中针对 CSRF 的安全防护。

If you were able to do that the whole concept of XHR would fall apart.

如果你能够做到这一点，XHR 的整个概念就会崩溃。

Hereis an Extension you can use to manipulate header on the fly, but so far I have not been able to get it to manipulate socket headers.

这是一个可用于动态操作头文件的扩展，但到目前为止，我还无法使用它来操作套接字头文件。

Look hereif you want to read more about this.

如果您想阅读更多相关信息，请看这里。

But this doesn't stop you from implementing your own client (in place of chrome) where you can literally send whatever headers you want, not sure if this helps you, sorry.

但这并不能阻止您实现自己的客户端（代替 chrome），您可以在其中发送您想要的任何标头，不确定这是否对您有帮助，抱歉。

It depends how you want to use your chrome browser. Since you mention localhost I assume you develop and will use this for some kind of scraping. I suggest that you explore Chrome DevTools Protocolwhich will render (almost) any kind of protection useless because you use a real browser. CORS, Origin, Cookie or any arbitrary header value will be under your control, and you can send a custom header for xhr/websocket request(s). If you want to manipulate in a more advanced way you can use Network.continueInterceptedRequest. You might only want to start chrome using parameters like "--disable-web-security, --disable-xss-auditor, --disable-client-side-phishing-detection, --allow-insecure-localhost" more about such options at peter.sh. However, the last option require a plugin in order to spoof origin header so I recommend the first option.

这取决于您想如何使用 chrome 浏览器。既然你提到 localhost 我假设你开发并将使用它进行某种抓取。我建议您探索Chrome DevTools 协议，该协议将使（几乎）任何类型的保护变得无用，因为您使用的是真正的浏览器。CORS、Origin、Cookie 或任何任意标头值都在您的控制之下，您可以为 xhr/websocket 请求发送自定义标头。如果您想以更高级的方式进行操作，您可以使用 Network.continueInterceptedRequest。您可能只想使用诸如“--disable-web-security、--disable-xss-auditor、--disable-client-side-phishing-detection、--allow-insecure-localhost”之类的参数来启动chrome peter.sh 上的选项. 然而，最后一个选项需要一个插件来欺骗源头，所以我推荐第一个选项。