Allow configuring which connection headers are exposed

[mitar]

Currently, there is a hard-coded list of headers which are available on the connection. I think this should be configurable. Or at least all x- prefixed headers should be available.

I am trying to use Meteor with Sandstorm and the latter sends quite some information in proxied requests in headers with x- prefix. Currently all that is not accessible. :-(

[prawnsalad]

I also need this as I'm trying to read cookies and custom headers. What is the rational for having a whitelist of cookies?

[mitar]

You can read here about cookies: https://github.com/sockjs/sockjs-node#authorisation

[kentonv]

The problem with cookies also applies to the X-Sandstorm headers. The fact that they are added server-side by a reverse proxy does not make them any more trustworthy than cookies. In fact, the proxy derives these headers from a cookie. You should not whitelist them.