Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Allow configuring which headers are exposed #202

Closed
wants to merge 1 commit into from
Closed
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
20 changes: 14 additions & 6 deletions README.md
Expand Up @@ -156,6 +156,13 @@ Where `options` is a hash which can contain:
connection have not been seen for a while. This delay is configured
by this setting. By default the `close` event will be emitted when a
receiving connection wasn't seen for 5 seconds. </dd>

<dt>allowed_headers (array of strings)</dt>
<dd>A whitelist of HTTP headers exposed through connection's `headers`
object. By default only the following headers are exposed:
`referer`, `x-client-ip`, `x-forwarded-for`, `x-cluster-client-ip`,
`via`, `x-real-ip`, `x-forwarded-proto`, `x-ssl`, `host`,
`user-agent`, and `accept-language`.</dd>
</dl>


Expand Down Expand Up @@ -212,9 +219,10 @@ has following methods and properties:
<dt>Property: headers (object)</dt>
<dd>Hash containing various headers copied from last receiving request
on that connection. Exposed headers include: `origin`, `referer`
and `x-forwarded-for` (and friends). We explicitly do not grant
access to `cookie` header, as using it may easily lead to security
issues (for details read the section "Authorisation").</dd>
and `x-forwarded-for` (and friends). By default we explicitly do not
grant access to `cookie` header, as using it may easily lead to security
issues (for details read the section "Authorisation"). You can use
`allowed_headers` option to configure the whitelist.</dd>

<dt>Property: url (string)</dt>
<dd><a href="http://nodejs.org/docs/v0.4.10/api/http.html#request.url">Url</a>
Expand Down Expand Up @@ -414,9 +422,9 @@ Various issues and design considerations

### Authorisation

SockJS-node does not expose cookies to the application. This is done
deliberately as using cookie-based authorisation with SockJS simply
doesn't make sense and will lead to security issues.
SockJS-node by default does not expose cookies to the application.
This is done deliberately as using cookie-based authorisation with
SockJS simply doesn't make sense and will lead to security issues.

Cookies are a contract between a browser and an http server, and are
identified by a domain name. If a browser has a cookie set for
Expand Down
6 changes: 6 additions & 0 deletions src/sockjs.coffee
Expand Up @@ -142,6 +142,12 @@ class Server extends events.EventEmitter
jsessionid: false
heartbeat_delay: 25000
disconnect_delay: 5000
allowed_headers: [
'referer', 'x-client-ip', 'x-forwarded-for',
'x-cluster-client-ip', 'via', 'x-real-ip',
'x-forwarded-proto', 'x-ssl',
'host', 'user-agent', 'accept-language'
]
log: (severity, line) -> console.log(line)
sockjs_url: 'https://cdn.jsdelivr.net/sockjs/1.0.1/sockjs.min.js'
if user_options
Expand Down
6 changes: 2 additions & 4 deletions src/transport.coffee
Expand Up @@ -61,6 +61,7 @@ class Session
constructor: (@session_id, server) ->
@heartbeat_delay = server.options.heartbeat_delay
@disconnect_delay = server.options.disconnect_delay
@allowed_headers = server.options.allowed_headers
@prefix = server.options.prefix
@send_buffer = []
@is_closing = false
Expand Down Expand Up @@ -130,10 +131,7 @@ class Session
@connection.protocol = @recv.protocol

headers = {}
for key in ['referer', 'x-client-ip', 'x-forwarded-for', \
'x-cluster-client-ip', 'via', 'x-real-ip', \
'x-forwarded-proto', 'x-ssl', \
'host', 'user-agent', 'accept-language']
for key in @allowed_headers
headers[key] = req.headers[key] if req.headers[key]
if headers
@connection.headers = headers
Expand Down