sockjs
Advanced tools
Comparing version 0.3.4 to 0.3.5
@@ -57,3 +57,3 @@ (function() { | ||
websocket: this.options.websocket, | ||
origins: this.options.origins, | ||
origins: ['*:*'], | ||
cookie_needed: !!this.options.jsessionid, | ||
@@ -60,0 +60,0 @@ entropy: utils.random32() |
@@ -164,3 +164,2 @@ (function() { | ||
response_limit: 128 * 1024, | ||
origins: ['*:*'], | ||
websocket: true, | ||
@@ -167,0 +166,0 @@ jsessionid: false, |
@@ -14,3 +14,3 @@ (function() { | ||
_websocket_check: function(req, connection, head) { | ||
var conn, origin; | ||
var conn; | ||
if ((req.headers.upgrade || '').toLowerCase() !== 'websocket') { | ||
@@ -29,9 +29,2 @@ throw { | ||
} | ||
origin = req.headers.origin; | ||
if (!utils.verify_origin(origin, this.options.origins)) { | ||
throw { | ||
status: 400, | ||
message: 'Unverified origin.' | ||
}; | ||
} | ||
}, | ||
@@ -135,3 +128,3 @@ sockjs_websocket: function(req, connection, head) { | ||
try { | ||
this.ws.close(); | ||
this.ws.close(1000, "Normal closure", false); | ||
} catch (x) { | ||
@@ -190,3 +183,3 @@ | ||
this.readyState = Transport.CLOSING; | ||
this.ws.close(status, reason); | ||
this.ws.close(status, reason, false); | ||
return true; | ||
@@ -200,3 +193,3 @@ }; | ||
try { | ||
this.ws.close(); | ||
this.ws.close(1000, "Normal closure", false); | ||
} catch (x) { | ||
@@ -203,0 +196,0 @@ |
@@ -147,7 +147,9 @@ (function() { | ||
} catch (x) { | ||
return; | ||
} | ||
this.connection.remoteAddress = remoteAddress; | ||
this.connection.remotePort = remotePort; | ||
this.connection.address = address; | ||
if (remoteAddress) { | ||
this.connection.remoteAddress = remoteAddress; | ||
this.connection.remotePort = remotePort; | ||
this.connection.address = address; | ||
} | ||
this.connection.url = req.url; | ||
@@ -154,0 +156,0 @@ this.connection.pathname = req.pathname; |
@@ -22,16 +22,2 @@ (function() { | ||
exports.verify_origin = function(origin, list_of_origins) { | ||
var origins, parts; | ||
if (list_of_origins.indexOf('*:*') !== -1) return true; | ||
if (!origin) return false; | ||
try { | ||
parts = url.parse(origin); | ||
origins = [parts.host + ':' + parts.port, parts.host + ':*', '*:' + parts.port]; | ||
if (array_intersection(origins, list_of_origins).length > 0) return true; | ||
} catch (x) { | ||
} | ||
return false; | ||
}; | ||
exports.escape_selected = function(str, chars) { | ||
@@ -38,0 +24,0 @@ var c, i, map, parts, r, v, _i, _len, _ref; |
{ | ||
"name" : "sockjs", | ||
"author" : "Marek Majkowski", | ||
"version" : "0.3.4", | ||
"version" : "0.3.5", | ||
"description" : "SockJS-node is a server counterpart of SockJS-client a JavaScript library that provides a WebSocket-like object in the browser. SockJS gives you a coherent, cross-browser, Javascript API which creates a low latency, full duplex, cross-domain communication channel between the browser and the web server.", | ||
@@ -6,0 +6,0 @@ "keywords" : ["websockets", "websocket"], |
@@ -6,3 +6,2 @@ SockJS family: | ||
* [SockJS-erlang](https://github.com/sockjs/sockjs-erlang) Erlang server | ||
* [SockJS-lua](https://github.com/luvit/sockjs-luvit) Lua/Luvit server | ||
* [SockJS-tornado](https://github.com/MrJoes/sockjs-tornado) Python/Tornado server | ||
@@ -21,2 +20,4 @@ * [vert.x](https://github.com/purplefox/vert.x) Java/vert.x server | ||
* [wai-SockJS](https://github.com/Palmik/wai-sockjs) | ||
* [SockJS-perl](https://github.com/vti/sockjs-perl) | ||
* [SockJS-go](https://github.com/igm/sockjs-go/) | ||
@@ -153,3 +154,3 @@ What is SockJS? | ||
set this cookie to a dummy value. By default setting JSESSIONID cookie | ||
is disabled. More sophisticated beaviour can be achieved by supplying | ||
is disabled. More sophisticated behaviour can be achieved by supplying | ||
a function.</dd> | ||
@@ -168,5 +169,5 @@ | ||
<dd>In order to keep proxies and load balancers from closing long | ||
running http requests we need to pretend that the connecion is | ||
running http requests we need to pretend that the connection is | ||
active and send a heartbeat packet once in a while. This setting | ||
controlls how often this is done. By default a heartbeat packet is | ||
controls how often this is done. By default a heartbeat packet is | ||
sent every 25 seconds. </dd> | ||
@@ -235,5 +236,5 @@ | ||
on that connection. Exposed headers include: `origin`, `referer` | ||
and `x-forwarded-for` (and friends). We expliclty do not grant | ||
and `x-forwarded-for` (and friends). We explicitly do not grant | ||
access to `cookie` header, as using it may easily lead to security | ||
issues (for details read the section "Authorization").</dd> | ||
issues (for details read the section "Authorisation").</dd> | ||
@@ -346,3 +347,3 @@ <dt>Property: url (string)</dt> | ||
Fortunetely recent versions of an excellent load balancer | ||
Fortunately recent versions of an excellent load balancer | ||
[HAProxy](http://haproxy.1wt.eu/) are able to proxy WebSocket | ||
@@ -360,9 +361,9 @@ connections. We propose to put HAProxy as a front line load balancer | ||
If you plan depling more than one SockJS server, you must make sure | ||
If you plan deploying more than one SockJS server, you must make sure | ||
that all HTTP requests for a single session will hit the same server. | ||
SockJS has two mechanisms that can be usefull to achieve that: | ||
SockJS has two mechanisms that can be useful to achieve that: | ||
* Urls are prefixed with server and session id numbers, like: | ||
`/resource/<server_number>/<session_id>/transport`. This is | ||
usefull for load balancers that support prefix-based affinity | ||
useful for load balancers that support prefix-based affinity | ||
(HAProxy does). | ||
@@ -372,3 +373,3 @@ * `JSESSIONID` cookie is being set by SockJS-node. Many load | ||
technique is derived from Java applications, where sticky sessions | ||
are often neccesary. HAProxy does support this method, as well as | ||
are often necessary. HAProxy does support this method, as well as | ||
some hosting providers, for example CloudFoundry. In order to | ||
@@ -437,6 +438,6 @@ enable this method on the client side, please supply a | ||
### Authorization | ||
### Authorisation | ||
SockJS-node does not expose cookies to the application. This is done | ||
deliberately as using cookie-based authorization with SockJS simply | ||
deliberately as using cookie-based authorisation with SockJS simply | ||
doesn't make sense and will lead to security issues. | ||
@@ -451,5 +452,5 @@ | ||
domain. The domain of an iframe is the same as the SockJS domain. The | ||
problem is that any website can embedd the iframe and communicate with | ||
problem is that any website can embed the iframe and communicate with | ||
it - and request establishing SockJS connection. Using cookies for | ||
authorization in this scenario will result in granting full access to | ||
authorisation in this scenario will result in granting full access to | ||
SockJS communication with your website from any website. This is a | ||
@@ -459,3 +460,3 @@ classic CSRF attack. | ||
Basically - cookies are not suited for SockJS model. If you want to | ||
authorize a session - provide a unique token on a page, send it as a | ||
authorise a session - provide a unique token on a page, send it as a | ||
first thing over SockJS connection and validate it on the server | ||
@@ -462,0 +463,0 @@ side. In essence, this is how cookies work. |
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
95642
41
459
1606