sockjs
Advanced tools
Comparing version 0.3.4 to 0.3.5
@@ -57,3 +57,3 @@ (function() { | ||
| websocket: this.options.websocket, | ||
| origins: this.options.origins, | ||
| origins: ['*:*'], | ||
| cookie_needed: !!this.options.jsessionid, | ||
@@ -60,0 +60,0 @@ entropy: utils.random32() |
@@ -164,3 +164,2 @@ (function() { | ||
| response_limit: 128 * 1024, | ||
| origins: ['*:*'], | ||
| websocket: true, | ||
@@ -167,0 +166,0 @@ jsessionid: false, |
@@ -14,3 +14,3 @@ (function() { | ||
| _websocket_check: function(req, connection, head) { | ||
| var conn, origin; | ||
| var conn; | ||
| if ((req.headers.upgrade || '').toLowerCase() !== 'websocket') { | ||
@@ -29,9 +29,2 @@ throw { | ||
| } | ||
| origin = req.headers.origin; | ||
| if (!utils.verify_origin(origin, this.options.origins)) { | ||
| throw { | ||
| status: 400, | ||
| message: 'Unverified origin.' | ||
| }; | ||
| } | ||
| }, | ||
@@ -135,3 +128,3 @@ sockjs_websocket: function(req, connection, head) { | ||
| try { | ||
| this.ws.close(); | ||
| this.ws.close(1000, "Normal closure", false); | ||
| } catch (x) { | ||
@@ -190,3 +183,3 @@ | ||
| this.readyState = Transport.CLOSING; | ||
| this.ws.close(status, reason); | ||
| this.ws.close(status, reason, false); | ||
| return true; | ||
@@ -200,3 +193,3 @@ }; | ||
| try { | ||
| this.ws.close(); | ||
| this.ws.close(1000, "Normal closure", false); | ||
| } catch (x) { | ||
@@ -203,0 +196,0 @@ |
@@ -147,7 +147,9 @@ (function() { | ||
| } catch (x) { | ||
| return; | ||
| } | ||
| this.connection.remoteAddress = remoteAddress; | ||
| this.connection.remotePort = remotePort; | ||
| this.connection.address = address; | ||
| if (remoteAddress) { | ||
| this.connection.remoteAddress = remoteAddress; | ||
| this.connection.remotePort = remotePort; | ||
| this.connection.address = address; | ||
| } | ||
| this.connection.url = req.url; | ||
@@ -154,0 +156,0 @@ this.connection.pathname = req.pathname; |
@@ -22,16 +22,2 @@ (function() { | ||
| exports.verify_origin = function(origin, list_of_origins) { | ||
| var origins, parts; | ||
| if (list_of_origins.indexOf('*:*') !== -1) return true; | ||
| if (!origin) return false; | ||
| try { | ||
| parts = url.parse(origin); | ||
| origins = [parts.host + ':' + parts.port, parts.host + ':*', '*:' + parts.port]; | ||
| if (array_intersection(origins, list_of_origins).length > 0) return true; | ||
| } catch (x) { | ||
| } | ||
| return false; | ||
| }; | ||
| exports.escape_selected = function(str, chars) { | ||
@@ -38,0 +24,0 @@ var c, i, map, parts, r, v, _i, _len, _ref; |
| { | ||
| "name" : "sockjs", | ||
| "author" : "Marek Majkowski", | ||
| "version" : "0.3.4", | ||
| "version" : "0.3.5", | ||
| "description" : "SockJS-node is a server counterpart of SockJS-client a JavaScript library that provides a WebSocket-like object in the browser. SockJS gives you a coherent, cross-browser, Javascript API which creates a low latency, full duplex, cross-domain communication channel between the browser and the web server.", | ||
@@ -6,0 +6,0 @@ "keywords" : ["websockets", "websocket"], |
@@ -6,3 +6,2 @@ SockJS family: | ||
| * [SockJS-erlang](https://github.com/sockjs/sockjs-erlang) Erlang server | ||
| * [SockJS-lua](https://github.com/luvit/sockjs-luvit) Lua/Luvit server | ||
| * [SockJS-tornado](https://github.com/MrJoes/sockjs-tornado) Python/Tornado server | ||
@@ -21,2 +20,4 @@ * [vert.x](https://github.com/purplefox/vert.x) Java/vert.x server | ||
| * [wai-SockJS](https://github.com/Palmik/wai-sockjs) | ||
| * [SockJS-perl](https://github.com/vti/sockjs-perl) | ||
| * [SockJS-go](https://github.com/igm/sockjs-go/) | ||
@@ -153,3 +154,3 @@ What is SockJS? | ||
| set this cookie to a dummy value. By default setting JSESSIONID cookie | ||
| is disabled. More sophisticated beaviour can be achieved by supplying | ||
| is disabled. More sophisticated behaviour can be achieved by supplying | ||
| a function.</dd> | ||
@@ -168,5 +169,5 @@ | ||
| <dd>In order to keep proxies and load balancers from closing long | ||
| running http requests we need to pretend that the connecion is | ||
| running http requests we need to pretend that the connection is | ||
| active and send a heartbeat packet once in a while. This setting | ||
| controlls how often this is done. By default a heartbeat packet is | ||
| controls how often this is done. By default a heartbeat packet is | ||
| sent every 25 seconds. </dd> | ||
@@ -235,5 +236,5 @@ | ||
| on that connection. Exposed headers include: `origin`, `referer` | ||
| and `x-forwarded-for` (and friends). We expliclty do not grant | ||
| and `x-forwarded-for` (and friends). We explicitly do not grant | ||
| access to `cookie` header, as using it may easily lead to security | ||
| issues (for details read the section "Authorization").</dd> | ||
| issues (for details read the section "Authorisation").</dd> | ||
@@ -346,3 +347,3 @@ <dt>Property: url (string)</dt> | ||
| Fortunetely recent versions of an excellent load balancer | ||
| Fortunately recent versions of an excellent load balancer | ||
| [HAProxy](http://haproxy.1wt.eu/) are able to proxy WebSocket | ||
@@ -360,9 +361,9 @@ connections. We propose to put HAProxy as a front line load balancer | ||
| If you plan depling more than one SockJS server, you must make sure | ||
| If you plan deploying more than one SockJS server, you must make sure | ||
| that all HTTP requests for a single session will hit the same server. | ||
| SockJS has two mechanisms that can be usefull to achieve that: | ||
| SockJS has two mechanisms that can be useful to achieve that: | ||
| * Urls are prefixed with server and session id numbers, like: | ||
| `/resource/<server_number>/<session_id>/transport`. This is | ||
| usefull for load balancers that support prefix-based affinity | ||
| useful for load balancers that support prefix-based affinity | ||
| (HAProxy does). | ||
@@ -372,3 +373,3 @@ * `JSESSIONID` cookie is being set by SockJS-node. Many load | ||
| technique is derived from Java applications, where sticky sessions | ||
| are often neccesary. HAProxy does support this method, as well as | ||
| are often necessary. HAProxy does support this method, as well as | ||
| some hosting providers, for example CloudFoundry. In order to | ||
@@ -437,6 +438,6 @@ enable this method on the client side, please supply a | ||
| ### Authorization | ||
| ### Authorisation | ||
| SockJS-node does not expose cookies to the application. This is done | ||
| deliberately as using cookie-based authorization with SockJS simply | ||
| deliberately as using cookie-based authorisation with SockJS simply | ||
| doesn't make sense and will lead to security issues. | ||
@@ -451,5 +452,5 @@ | ||
| domain. The domain of an iframe is the same as the SockJS domain. The | ||
| problem is that any website can embedd the iframe and communicate with | ||
| problem is that any website can embed the iframe and communicate with | ||
| it - and request establishing SockJS connection. Using cookies for | ||
| authorization in this scenario will result in granting full access to | ||
| authorisation in this scenario will result in granting full access to | ||
| SockJS communication with your website from any website. This is a | ||
@@ -459,3 +460,3 @@ classic CSRF attack. | ||
| Basically - cookies are not suited for SockJS model. If you want to | ||
| authorize a session - provide a unique token on a page, send it as a | ||
| authorise a session - provide a unique token on a page, send it as a | ||
| first thing over SockJS connection and validate it on the server | ||
@@ -462,0 +463,0 @@ side. In essence, this is how cookies work. |
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
No alert changes
Improved metrics
- Total package byte prevSize
- increased by0.04%
95642
- Number of package files
- increased by2.5%
41
- Number of lines in readme file
- increased by0.22%
459
Worsened metrics
- Lines of code
- decreased by-1.17%
1606
No dependency changes