Adding custom headers in the response of websocket upgrade requests
146 views
Skip to first unread message
Bharadwaj Machiraju
Sep 18, 2013, 1:46:28 PM9/18/13
to python-...@googlegroups.com
Hey guys,
Is there any way of adding custom headers in responses to "Upgrade: websocket" requests other than overriding the accept_connection instance method (or)
Is there any way of adding custom headers in responses to "Upgrade: websocket" requests other than overriding the accept_connection instance method (or)
_accept_connection instance method
Currently for WebSocketProtocol13, the following response goes back
"HTTP/1.1 101 Switching Protocols\r\n" "Upgrade: websocket\r\n" "Connection: Upgrade\r\n" "Sec-WebSocket-Accept: %s\r\n" "%s" "\r\n" % (self._challenge_response(), subprotocol_header))
I want to add a custom header to these existing ones. Is there any way to do other than overriding. Will some mechanism be provided in future???
P.S - I wish to add some CORS headers (but have to change their value per request)
Thanks,
tunnelshade
Ben Darnell
Sep 18, 2013, 8:38:24 PM9/18/13
to Tornado Mailing List
I'm not sure it's meaningful to pass additional headers in this phase of the handshake. Websockets are not HTTP; they are a separate protocol tunneled over HTTP. The websocket protocol does not specify that the server can send additional headers in its handshake (http://tools.ietf.org/html/rfc6455#section-4.2.2; note that the client side *does* say that clients can send arbitrary additional headers) and client implementations probably wouldn't know what to do with them if the server did send any (for example, there's no place for them to be exposed in the javascript interface: http://dev.w3.org/html5/websockets/).
As for CORS headers in particular, they should not be required for websockets because websockets are not subject to the usual same-origin policy. Instead, the client reliably reports the origin to the server and it is the server's responsibility to see if the origin is one it expects before trusting any implicit authenticators (cookies or HTTP basic/digest auth). This seems like a risky policy to me since it's very different from the way the rest of the web security model works^H^H^H^H^Hbehaves, but that's how websockets are specified.
-Ben
--
You received this message because you are subscribed to the Google Groups "Tornado Web Server" group.
To unsubscribe from this group and stop receiving emails from it, send an email to python-tornad...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
Reply all
Reply to author
Forward
0 new messages