push_stream_allowed_origins for websockets not set

[Jeroen Diderik]

Hi,

Somehow, I have the idea that push_stream_allowed_origins settings on websockets do not work?

I set it on the eventsource location and it all works fine and connections are nicely blocked when coming from a non-valid domain.

But websockets can actually connect when coming from a different domain. The Allow-control-allow-origin headers do not seem to get set for websockets...

What am I missing?

I set the push_stream_allowed_origins the following way (reduced my conf for simplicity):

server{

 set $cors 'http://my.main.domain';

 location /ev{

        if ($http_origin ~* 'https?://(my\.second\.domain|some\.other\.domain|localhost)' ) {

            set $cors $http_origin;

        }

        push_stream_allowed_origins             $cors;    

  }

 location /ws{

        if ($http_origin ~* 'https?://(my\.second\.domain|some\.other\.domain|localhost)' ) {

            set $cors $http_origin;

        }

        push_stream_allowed_origins             $cors;    

  }

}

[Wandenberg Peixoto]

The Websocket protocol does not handle the origin by itself.

The server should deal with it like said on RFC.

But, since this only applies to browsers I didn't implement any validation to websocket (a client who knows how to set a header still being able to fake the origin header)

--
You received this message because you are subscribed to the Google Groups "nginxpushstream" group.
To unsubscribe from this group and stop receiving emails from it, send an email to nginxpushstre...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.