Hi,
Somehow, I have the idea that push_stream_allowed_origins settings on websockets do not work?
I set it on the eventsource location and it all works fine and connections are nicely blocked when coming from a non-valid domain.
But websockets can actually connect when coming from a different domain. The Allow-control-allow-origin headers do not seem to get set for websockets...
What am I missing?
I set the push_stream_allowed_origins the following way (reduced my conf for simplicity):
server{
location /ev{
if ($http_origin ~* 'https?://(my\.second\.domain|some\.other\.domain|localhost)' ) {
set $cors $http_origin;
}
push_stream_allowed_origins $cors;
}
location /ws{
if ($http_origin ~* 'https?://(my\.second\.domain|some\.other\.domain|localhost)' ) {
set $cors $http_origin;
}
push_stream_allowed_origins $cors;
}
}