mirror of
https://github.com/socketio/socket.io.git
synced 2026-01-13 08:57:59 -05:00
f78a575f66
BREAKING CHANGE: previously, all origins were allowed by default, which
meant that a Socket.IO server sent the necessary CORS headers
(`Access-Control-Allow-xxx`) to any domain by default.
Please note that you are not impacted if:
- you are using Socket.IO v2 and the `origins` option to restrict the list of allowed domains
- you are using Socket.IO v3 (disabled by default)
This commit also removes the support for '*' matchers and protocol-less
URL:
```
io.origins('https://example.com:443'); => io.origins(['https://example.com']);
io.origins('localhost:3000'); => io.origins(['http://localhost:3000']);
io.origins('http://localhost:*'); => io.origins(['http://localhost:3000']);
io.origins('*:3000'); => io.origins(['http://localhost:3000']);
```
To restore the previous behavior (please use with caution):
```js
io.origins((_, callback) => {
callback(null, true);
});
```
See also:
- https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS
- https://socket.io/docs/v3/handling-cors/
- https://socket.io/docs/v3/migrating-from-2-x-to-3-0/#CORS-handling
Thanks a lot to https://github.com/ni8walk3r for the security report.