Do not send 'Origin' header in handshake #38
Conversation
This is a header only intended to support for Web Origin security in browsers. Other clients are not required to include this header, and the current case complicates servers since it receiving 'ws://' or 'ws://' in the 'Origin' header is highly unusual. RFC 6455, Section 4.1, Client Requirements: > Additionally, if the client is a web browser, it supplies /origin/. RFC 6455, Section 4.2.1, Reading the Client's Opening Handshake: > Optionally, an |Origin| header field. This header field is sent by > all browser clients. A connection attempt lacking this header field > SHOULD NOT be interpreted as coming from a browser client.
Do not send 'Origin' header in handshake
|
@jeremyong FWIW, this commit causes issues with older versions of the Go websocket implementation. It manifests as "normal" EXIT messages whenever attempting to connect. I'm going to attempt an upgrade to the latest Go websocket server implementation at https://godoc.org/golang.org/x/net/websocket and see if that resolves the issue. |
|
I just tested against the latest Go websocket implementation, and it still fails. 🐼 |
|
It looks like the default HTTP server implementation that comes with the Go Websocket library always checks the Origin header: https://github.com/golang/net/blob/master/websocket/server.go#L93-L99 Next thing to try is to create a server which doesn't check origin, since in this particular I do not use browsers as clients. |
|
This StackOverflow response provided the solution: http://stackoverflow.com/a/23324279/1592455 (in case anyone else needs it). |
This is a header only intended to support for Web Origin security in
browsers. Other clients are not required to include this header, and the
current case complicates servers since it receiving 'ws://' or 'ws://'
in the 'Origin' header is highly unusual.
RFC 6455, Section 4.1, Client Requirements:
RFC 6455, Section 4.2.1, Reading the Client's Opening Handshake: