Implemented CORS support
33 views
Skip to first unread message
Paul Colomiets
Aug 2, 2012, 4:45:12 PM8/2/12
to zer...@googlegroups.com
Hi,
I've just implemented CORS support, which stands for Cross-Origin
Resource Sharing. This allows to connect to a websocket (or especially
emulated websocket) from domain other than the domain where page
resides. This results into easier integration of websockets into your
applications.
During the work, I've fixed the "headers" configuration directive to
work with websockets, but the real CORS implementation is superior in
following things:
1. It really checks origin, not only sends it (even for native websockets)
2. It automatically sets allowed methods and headers, so more future proof
3. It doesn't linger OPTIONS request
Note that (1) actually means that previously, any host could connect
to any websocket (but not long polling) within zerogw. We don't see
this as a vulnerability as we don't use http cookies for
authorization. Still everybody is encouraged to upgrade and enable
security.
The configuration should be updated in the following way:
...
websockets:
enabled: yes
allow-origins:
- http://example.org
- http://example.net:8080
...
In this implementation you can't have wildcard origins.
The functionality is in master branch. Release will be soon, if no
problems will be discovered.
--
Paul
I've just implemented CORS support, which stands for Cross-Origin
Resource Sharing. This allows to connect to a websocket (or especially
emulated websocket) from domain other than the domain where page
resides. This results into easier integration of websockets into your
applications.
During the work, I've fixed the "headers" configuration directive to
work with websockets, but the real CORS implementation is superior in
following things:
1. It really checks origin, not only sends it (even for native websockets)
2. It automatically sets allowed methods and headers, so more future proof
3. It doesn't linger OPTIONS request
Note that (1) actually means that previously, any host could connect
to any websocket (but not long polling) within zerogw. We don't see
this as a vulnerability as we don't use http cookies for
authorization. Still everybody is encouraged to upgrade and enable
security.
The configuration should be updated in the following way:
...
websockets:
enabled: yes
allow-origins:
- http://example.org
- http://example.net:8080
...
In this implementation you can't have wildcard origins.
The functionality is in master branch. Release will be soon, if no
problems will be discovered.
--
Paul
Павел Крюков
Aug 3, 2012, 7:02:24 AM8/3/12
to zer...@googlegroups.com
Спасибо!
С первого взгляда вроде как работает.
Если что встречу - сообщу.
пятница, 3 августа 2012 г., 0:45:12 UTC+4 пользователь Paul Colomiets написал:
пятница, 3 августа 2012 г., 0:45:12 UTC+4 пользователь Paul Colomiets написал:
Reply all
Reply to author
Forward
0 new messages