Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

How to set Cross domain origin? #194

Closed
gunsluo opened this issue Feb 21, 2020 · 9 comments · Fixed by #195 or #198
Closed

How to set Cross domain origin? #194

gunsluo opened this issue Feb 21, 2020 · 9 comments · Fixed by #195 or #198
Labels
docs enhancement
Milestone
v1.8.5

Comments

@gunsluo
Copy link

gunsluo commented Feb 21, 2020

in AcceptOptions struct, I found the InsecureSkipVerify field and set it equal to true. but all clients can connect to the WebSocket server, it includes illegal clients. in gorilla have CheckOrigin. but there is no the same method. (AcceptOrigins and add AcceptInsecureOrigin is removed in the current version).


	// InsecureSkipVerify disables Accept's origin verification behaviour. By default,
	// the connection will only be accepted if the request origin is equal to the request
	// host.
	//
	// This is only required if you want javascript served from a different domain
	// to access your WebSocket server.
	//
	// See https://stackoverflow.com/a/37837709/4283659
	//
	// Please ensure you understand the ramifications of enabling this.
	// If used incorrectly your WebSocket server will be open to CSRF attacks.
	InsecureSkipVerify bool

@nhooyr How to set origin like gorilla's CheckOrigin? Looking forward to your reply, appreciate it. Thanks.
@nhooyr
Copy link
Contributor

nhooyr commented Feb 21, 2020

Hi @gunsluo

You'd verify the Origin header yourself before accepting the WebSocket.

This is how the default works: https://github.com/nhooyr/websocket/blob/c62c0dcc9318d1ad612613d433ec90d7c34378dc/accept.go#L168

You'd want the same except you'd verify against your domain in https://github.com/nhooyr/websocket/blob/c62c0dcc9318d1ad612613d433ec90d7c34378dc/accept.go#L175 instead of r.Host.

@nhooyr nhooyr closed this as completed Feb 21, 2020
@nhooyr
Copy link
Contributor

nhooyr commented Feb 21, 2020

I'll add an example for this.

@nhooyr nhooyr reopened this Feb 21, 2020
@nhooyr nhooyr added the docs label Feb 21, 2020
nhooyr added a commit that referenced this issue Feb 21, 2020
@nhooyr
Add Example_crossOrigin
e8f5bc8 
Closes #194
@nhooyr nhooyr mentioned this issue Feb 21, 2020
Merged
@nhooyr
Copy link
Contributor

nhooyr commented Feb 21, 2020

See https://godoc.org/nhooyr.io/websocket#example-package--CrossOrigin

@gunsluo
Copy link
Author

gunsluo commented Feb 24, 2020
edited
Loading

@nhooyr thanks. sorry for reply later. in fact, we use the same method. I expect WebSocket to provide a configurable item.

@nhooyr
Copy link
Contributor

nhooyr commented Feb 26, 2020

I agree, let's add it as I think it is a common use case.

How about OriginDomains []string to DialOpts?

@nhooyr nhooyr reopened this Feb 26, 2020
nhooyr added a commit that referenced this issue Feb 26, 2020
@nhooyr
Add OriginPatterns to AcceptOptions
500b9d7 
Closes #194
@nhooyr
Copy link
Contributor

nhooyr commented Feb 26, 2020
edited
Loading

Please review #198

@nhooyr nhooyr mentioned this issue Feb 26, 2020
Merged
@nhooyr nhooyr added this to the v1.9.0 milestone Feb 26, 2020
@nhooyr nhooyr modified the milestones: v1.9.0, v1.8.5 Apr 13, 2020
@lurenyang418 lurenyang418 mentioned this issue Jul 28, 2022
Closed
@amirhossein-shakeri
Copy link

Hi everyone! It seems the client Origin header should be something like this https://example.com rather than example.com.

I'm not sure if that is a problem or a standard but if the origin is set like api.example.com and the accept pattern is *.example.com, they don't match, unless we change the Origin header to https://api.example.com.

Just thought that might be helpful for someone who surfs the issues related to accept origins or stuff like that.

@biskit
Copy link

biskit commented Jul 15, 2023

still having issues with this... it does not work with flutter client

failed to accept WebSocket connection: request Origin "http://localhost:61330" is not authorized for Host "192.168.100.106:8999"

i have

websocket.Accept(w, r, &websocket.AcceptOptions{
			OriginPatterns: []string{"http://localhost:*"},
		})

and I connect

WebSocketChannel.connect(
    Uri.parse('ws://192.168.100.106:8999/xxx'),
  );

this I assume is a standard development test case.

so, what should my AcceptOptions be????

thx

@nhooyr
Copy link
Contributor

nhooyr commented Sep 28, 2023

@biskit OriginPatterns: []string{"localhost"}, should work.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
docs enhancement
Projects
None yet
Milestone
v1.8.5
Development

Successfully merging a pull request may close this issue.

Add Example_crossOrigin coder/websocket
Add OriginPatterns to AcceptOptions coder/websocket
4 participants
@biskit @gunsluo @nhooyr @amirhossein-shakeri