We now check that the origin of the websocket request is a Mozilla or other modern web browser extension. Since KeePassRPC can be used with other clients, we have a hidden configuration option to allow for this requirement to be relaxed.
Find your KeePass configuration file and set a comma-delimited list of origin prefixes that you wish to allow to connect to KeePass - (while KeePass is closed) insert the following to the element:
<Item>
<Key>KeePassRPC.webSocket.permittedOrigins</Key>
<Value>"http://example.com,https://example.com"</Value>
</Item>
The following values are permitted by default if no value is set for this configuration key (or if all values in the list are empty): "resource://gre-resources,ms-browser-extension://,safari-web-extension://,moz-extension://,chrome-extension://". In most cases you’ll want to include all of those with any additional origins you wish to permit.
PS: It may be tempting to use this setting to further limit KeePassRPC access to only a whitelist of known browser extensions such as Kee. Unfortunately, even if this works at the moment for some browsers, you should expect it to break soon. The use of a permanent unique identifier in the origins sent by your browser poses a privacy (fingerprinting) risk and thus all browser developers are likely to adopt randomly changing identifiers in the near future (some such as Mozilla Firefox have already done so).