Huge News!Announcing our $40M Series B led by Abstract Ventures.Learn More →
socket.io
Advanced tools
socket.io - npm Package Compare versions
Comparing version 2.4.0 to 2.4.1
@@ -0,1 +1,9 @@ | ||
| ## [2.4.1](https://github.com/socketio/socket.io/compare/2.4.0...2.4.1) (2021-01-07) | ||
| ### Reverts | ||
| * fix(security): do not allow all origins by default ([a169050](https://github.com/socketio/socket.io/commit/a1690509470e9dd5559cec4e60908ca6c23e9ba0)) | ||
| # [2.4.0](https://github.com/socketio/socket.io/compare/2.3.0...2.4.0) (2021-01-04) | ||
@@ -2,0 +10,0 @@ |
@@ -57,3 +57,3 @@ 'use strict'; | ||
| this.adapter(opts.adapter || Adapter); | ||
| this.origins(opts.origins || []); | ||
| this.origins(opts.origins || '*:*'); | ||
| this.sockets = this.of('/'); | ||
@@ -71,14 +71,27 @@ if (srv) this.attach(srv, opts); | ||
| Server.prototype.checkRequest = function(req, fn) { | ||
| const origin = req.headers.origin; | ||
| var origin = req.headers.origin || req.headers.referer; | ||
| if (typeof this._origins === 'function') { | ||
| return this._origins(origin, fn); | ||
| } | ||
| // file:// URLs produce a null Origin which can't be authorized via echo-back | ||
| if ('null' == origin || null == origin) origin = '*'; | ||
| if (!!origin && typeof(this._origins) == 'function') return this._origins(origin, fn); | ||
| if (this._origins.indexOf('*:*') !== -1) return fn(null, true); | ||
| if (origin) { | ||
| fn(null, this._origins.includes(origin)); | ||
| } else { | ||
| const noOriginIsValid = this._origins.length === 0; | ||
| fn(null, noOriginIsValid); | ||
| try { | ||
| var parts = url.parse(origin); | ||
| var defaultPort = 'https:' == parts.protocol ? 443 : 80; | ||
| parts.port = parts.port != null | ||
| ? parts.port | ||
| : defaultPort; | ||
| var ok = | ||
| ~this._origins.indexOf(parts.protocol + '//' + parts.hostname + ':' + parts.port) || | ||
| ~this._origins.indexOf(parts.hostname + ':' + parts.port) || | ||
| ~this._origins.indexOf(parts.hostname + ':*') || | ||
| ~this._origins.indexOf('*:' + parts.port); | ||
| debug('origin %s is %svalid', origin, !!ok ? '' : 'not '); | ||
| return fn(null, !!ok); | ||
| } catch (ex) { | ||
| } | ||
| } | ||
| fn(null, false); | ||
| }; | ||
@@ -229,3 +242,3 @@ | ||
| this._origins = typeof v === 'string' ? [v] : v; | ||
| this._origins = v; | ||
| return this; | ||
@@ -232,0 +245,0 @@ }; |
| { | ||
| "name": "socket.io", | ||
| "version": "2.4.0", | ||
| "version": "2.4.1", | ||
| "description": "node.js realtime framework server", | ||
@@ -5,0 +5,0 @@ "keywords": [ |
New alerts
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
Fixed alerts
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
Improved metrics
- Total package byte prevSize
- increased by1.66%
56575
- Lines of code
- increased by0.9%
1452
No dependency changes