Skip to content

Commit

Permalink
[revert] Allow configuration of Access-Control-Allow-Origin value (#…
Browse files Browse the repository at this point in the history 
…511)

This reverts commit ebf1a96.

Related: socketio/socket.io#3381
  • Loading branch information
@darrachequesne
darrachequesne committed Nov 29, 2018
1 parent 64d6044 commit ec4e12a
Show file tree
Hide file tree
Showing 9 changed files with 32 additions and 42 deletions.
1 change: 0 additions & 1 deletion README.md
View file
Expand Up @@ -228,7 +228,6 @@ to a single process.
- `maxHttpBufferSize` (`Number`): how many bytes or characters a message
can be, before closing the session (to avoid DoS). Default
value is `10E7`.
- `origins` (`String`): the allowed origins (`*`)
- `allowRequest` (`Function`): A function that receives a given handshake
or upgrade request as its first parameter, and can decide whether to
continue or not. The second argument is a function that needs to be
Expand Down
26 changes: 9 additions & 17 deletions lib/server.js
View file
Expand Up @@ -45,7 +45,6 @@ function Server (opts) {
this.allowUpgrades = false !== opts.allowUpgrades;
this.allowRequest = opts.allowRequest;
this.cookie = false !== opts.cookie ? (opts.cookie || 'io') : false;
this.origins = opts.origins || '*';
this.cookiePath = false !== opts.cookiePath ? (opts.cookiePath || '/') : false;
this.cookieHttpOnly = false !== opts.cookieHttpOnly;
this.perMessageDeflate = false !== opts.perMessageDeflate ? (opts.perMessageDeflate || true) : false;
Expand Down Expand Up @@ -222,7 +221,7 @@ Server.prototype.handleRequest = function (req, res) {
var self = this;
this.verify(req, false, function (err, success) {
if (!success) {
self.sendErrorMessage(req, res, err);
sendErrorMessage(req, res, err);
return;
}

Expand All @@ -243,7 +242,7 @@ Server.prototype.handleRequest = function (req, res) {
* @api private
*/

Server.prototype.sendErrorMessage = function (req, res, code) {
function sendErrorMessage (req, res, code) {
var headers = { 'Content-Type': 'application/json' };

var isForbidden = !Server.errorMessages.hasOwnProperty(code);
Expand All @@ -255,21 +254,20 @@ Server.prototype.sendErrorMessage = function (req, res, code) {
}));
return;
}

headers['Access-Control-Allow-Origin'] = this.origins;
headers['Vary'] = 'Origin';
if (req.headers.origin) {
headers['Access-Control-Allow-Credentials'] = 'true';
headers['Access-Control-Allow-Origin'] = req.headers.origin;
} else {
headers['Access-Control-Allow-Origin'] = '*';
}

if (res !== undefined) {
res.writeHead(400, headers);
res.end(JSON.stringify({
code: code,
message: Server.errorMessages[code]
}));
}
};
}

/**
* generate a socket id.
Expand All @@ -295,12 +293,9 @@ Server.prototype.handshake = function (transportName, req) {
var id = this.generateId(req);

debug('handshaking client "%s"', id);
var opts = {
origins: this.origins
};

try {
var transport = new transports[transportName](req, opts);
var transport = new transports[transportName](req);
if ('polling' === transportName) {
transport.maxHttpBufferSize = this.maxHttpBufferSize;
transport.httpCompression = this.httpCompression;
Expand All @@ -314,7 +309,7 @@ Server.prototype.handshake = function (transportName, req) {
transport.supportsBinary = true;
}
} catch (e) {
this.sendErrorMessage(req, req.res, Server.errors.BAD_REQUEST);
sendErrorMessage(req, req.res, Server.errors.BAD_REQUEST);
return;
}
var socket = new Socket(id, this, transport, req);
Expand Down Expand Up @@ -408,10 +403,7 @@ Server.prototype.onWebSocket = function (req, socket) {
// transport error handling takes over
socket.removeListener('error', onUpgradeError);

var opts = {
origins: this.origins
};
var transport = new transports[req._query.transport](req, opts);
var transport = new transports[req._query.transport](req);
if (req._query && req._query.b64) {
transport.supportsBinary = false;
} else {
Expand Down
4 changes: 1 addition & 3 deletions lib/transport.js
View file
Expand Up @@ -26,14 +26,12 @@ function noop () {}
* Transport constructor.
*
* @param {http.IncomingMessage} request
* @param {Object} opts allows the origins option to be passed along
* @api public
*/

function Transport (req, opts) {
function Transport (req) {
this.readyState = 'open';
this.discarded = false;
this.origins = opts.origins;
}

/**
Expand Down
6 changes: 3 additions & 3 deletions lib/transports/index.js
View file
Expand Up @@ -27,10 +27,10 @@ exports.polling.upgradesTo = ['websocket'];
* @api private
*/

function polling (req, opts) {
function polling (req) {
if ('string' === typeof req._query.j) {
return new JSONP(req, opts);
return new JSONP(req);
} else {
return new XHR(req, opts);
return new XHR(req);
}
}
4 changes: 2 additions & 2 deletions lib/transports/polling-jsonp.js
View file
Expand Up @@ -21,8 +21,8 @@ module.exports = JSONP;
* @api public
*/

function JSONP (req, opts) {
Polling.call(this, req, opts);
function JSONP (req) {
Polling.call(this, req);

this.head = '___eio[' + (req._query.j || '').replace(/[^0-9]/g, '') + '](';
this.foot = ');';
Expand Down
9 changes: 5 additions & 4 deletions lib/transports/polling-xhr.js
View file
Expand Up @@ -18,8 +18,8 @@ module.exports = XHR;
* @api public
*/

function XHR (req, opts) {
Polling.call(this, req, opts);
function XHR (req) {
Polling.call(this, req);
}

/**
Expand Down Expand Up @@ -58,10 +58,11 @@ XHR.prototype.onRequest = function (req) {
XHR.prototype.headers = function (req, headers) {
headers = headers || {};

headers['Access-Control-Allow-Origin'] = this.origins;
headers['Vary'] = 'Origin';
if (req.headers.origin) {
headers['Access-Control-Allow-Credentials'] = 'true';
headers['Access-Control-Allow-Origin'] = req.headers.origin;
} else {
headers['Access-Control-Allow-Origin'] = '*';
}

return Polling.prototype.headers.call(this, req, headers);
Expand Down
4 changes: 2 additions & 2 deletions lib/transports/polling.js
View file
Expand Up @@ -27,8 +27,8 @@ module.exports = Polling;
* @api public.
*/

function Polling (req, opts) {
Transport.call(this, req, opts);
function Polling (req) {
Transport.call(this, req);

this.closeTimeout = 30 * 1000;
this.maxHttpBufferSize = null;
Expand Down
4 changes: 2 additions & 2 deletions lib/transports/websocket.js
View file
Expand Up @@ -21,8 +21,8 @@ module.exports = WebSocket;
* @api public
*/

function WebSocket (req, opts) {
Transport.call(this, req, opts);
function WebSocket (req) {
Transport.call(this, req);
var self = this;
this.socket = req.websocket;
this.socket.on('message', this.onData.bind(this));
Expand Down
16 changes: 8 additions & 8 deletions test/server.js
View file
Expand Up @@ -58,7 +58,7 @@ describe('server', function () {
expect(res.body.code).to.be(0);
expect(res.body.message).to.be('Transport unknown');
expect(res.header['access-control-allow-credentials']).to.be('true');
expect(res.header['access-control-allow-origin']).to.be('*');
expect(res.header['access-control-allow-origin']).to.be('http://engine.io');
done();
});
});
Expand All @@ -75,7 +75,7 @@ describe('server', function () {
expect(res.body.code).to.be(1);
expect(res.body.message).to.be('Session ID unknown');
expect(res.header['access-control-allow-credentials']).to.be('true');
expect(res.header['access-control-allow-origin']).to.be('*');
expect(res.header['access-control-allow-origin']).to.be('http://engine.io');
done();
});
});
Expand Down Expand Up @@ -416,7 +416,7 @@ describe('server', function () {
expect(res.body.code).to.be(3);
expect(res.body.message).to.be('Bad request');
expect(res.header['access-control-allow-credentials']).to.be('true');
expect(res.header['access-control-allow-origin']).to.be('*');
expect(res.header['access-control-allow-origin']).to.be('http://engine.io');
done();
});
});
Expand Down Expand Up @@ -932,7 +932,7 @@ describe('server', function () {
it('should trigger transport close before open for ws', function (done) {
var opts = { transports: ['websocket'] };
listen(opts, function (port) {
var url = 'ws://%s:%d'.s('0.0.0.0', port);
var url = 'ws://%s:%d'.s('0.0.0.50', port);
var socket = new eioc.Socket(url);
socket.on('open', function () {
done(new Error('Test invalidation'));
Expand Down Expand Up @@ -2589,7 +2589,7 @@ describe('server', function () {

describe('cors', function () {
it('should handle OPTIONS requests', function (done) {
listen({handlePreflightRequest: true, origins: 'engine.io:*'}, function (port) {
listen({handlePreflightRequest: true}, function (port) {
request.options('http://localhost:%d/engine.io/default/'.s(port))
.set('Origin', 'http://engine.io')
.query({ transport: 'polling' })
Expand All @@ -2599,7 +2599,7 @@ describe('server', function () {
expect(res.body.code).to.be(2);
expect(res.body.message).to.be('Bad handshake method');
expect(res.header['access-control-allow-credentials']).to.be('true');
expect(res.header['access-control-allow-origin']).to.be('engine.io:*');
expect(res.header['access-control-allow-origin']).to.be('http://engine.io');
done();
});
});
Expand All @@ -2624,7 +2624,7 @@ describe('server', function () {
var headers = {};
if (req.headers.origin) {
headers['Access-Control-Allow-Credentials'] = 'true';
headers['Access-Control-Allow-Origin'] = '*';
headers['Access-Control-Allow-Origin'] = req.headers.origin;
} else {
headers['Access-Control-Allow-Origin'] = '*';
}
Expand All @@ -2642,7 +2642,7 @@ describe('server', function () {
expect(res.status).to.be(200);
expect(res.body).to.be.empty();
expect(res.header['access-control-allow-credentials']).to.be('true');
expect(res.header['access-control-allow-origin']).to.be('*');
expect(res.header['access-control-allow-origin']).to.be('http://engine.io');
expect(res.header['access-control-allow-methods']).to.be('GET,HEAD,PUT,PATCH,POST,DELETE');
expect(res.header['access-control-allow-headers']).to.be('origin, content-type, accept');
done();
Expand Down

0 comments on commit ec4e12a

Please sign in to comment.