Conversation
The header is required by the Tornado XSRF protection mechanism. See Tornado documentation for details.
request. The change is required for the Socket.IO to work with Tornado's XSRF protection.
|
Unfortunately this does not belong here. Otherwise we'd have to support every CSRF mechanism for every framework. Try to disable it at Tornado level. |
|
Right, I've focused solely on Tornado framework. The CSRF mechanism is there for a reason and disabling it might not be a valid option. It would be great if Socket.IO could provide some sort of extensions/plugins mechanism, especially where HTTP headers or POST methods are involved. Not sure, though, how many people would actually use such a feature... On a side note, the indentation is messed up in some Socket.IO files. Would be good for the project to get it right ;-) Cheers, |
|
How would a third party host be able to guess the URL with the session id to POST to ? |
|
Also, indentation will be fixed, it's an open ticket :) |
|
Sweet :-) Overall, Socket.IO is really good, keep it up :-) Re. the CSRF, it's not a matter of guessing. There are tools (worms) and techniques for making it happen. |
2 participants
Hello!
You might want to consider including the proposed changes. They enable Socket.IO to work with Tornado and its XSRF protection enabled.
Cheers,
Krzysztof.