WebSocket CheckOrigin blocks mobile/native clients (missing empty-origin case)

[windoze95]

Summary

In internal/ws/cooking.go:118-132, the custom CheckOrigin function returns false for any origin not on the allowlist. Native mobile clients (e.g., the Flutter app) typically send an empty Origin header or no header at all, which fails all checks and causes WebSocket connections to be rejected with HTTP 403.

The default Gorilla WebSocket CheckOrigin returns true when the origin is missing (native clients), and only enforces same-origin on browser clients.

Impact

iOS/Android app users cannot connect to the cooking WebSocket.

Suggested Fix

Add a case for an empty origin to allow native mobile clients:

if origin == "" {
    return true // native clients (mobile apps) don't send Origin
}

Place this check before the allowlist loop.