Hi,

On line 106 of file HomeController : https://github.com/playframework/play-java-websocket-example/blob/2.6.x/app/controllers/HomeController.java#L106, you are checking origin like that:

return origin.contains("localhost:9000") || origin.contains("localhost:19001");

If someone sends an Origin header with the value localhost:90000 it will be valid even if this is not the same origin. I understand that the port 90000 doesn't exist at all, but imagine someone uses the following code (by simply modifying the code you provide):

return origin.contains("mydomain.com");

It is still possible to do Cross-Site WebSocket Hijacking by using (buying) the domain amydomain.com.

I think it would be preferable to use the equals or equalsIgnoreCase method.