From 4708480e7db80688705617b0129dae458260e579 Mon Sep 17 00:00:00 2001 From: Arnout Kazemier Date: Wed, 10 Aug 2011 22:35:30 +0200 Subject: [PATCH 1/3] Added access control for cross domain xhr handshakes --- lib/manager.js | 17 ++++++++++++++--- test/common.js | 2 +- test/manager.test.js | 20 ++++++++++++++++++++ 3 files changed, 35 insertions(+), 4 deletions(-) diff --git a/lib/manager.js b/lib/manager.js index 6530b7d30d..4139904524 100644 --- a/lib/manager.js +++ b/lib/manager.js @@ -768,14 +768,16 @@ Manager.prototype.generateId = function () { */ Manager.prototype.handleHandshake = function (data, req, res) { - var self = this; + var self = this + , origin = req.headers.origin + , headers = {}; function writeErr (status, message) { if (data.query.jsonp) { res.writeHead(200, { 'Content-Type': 'application/javascript' }); res.end('io.j[' + data.query.jsonp + '](new Error("' + message + '"));'); } else { - res.writeHead(status); + res.writeHead(status, headers); res.end(message); } }; @@ -792,6 +794,15 @@ Manager.prototype.handleHandshake = function (data, req, res) { var handshakeData = this.handshakeData(data); + if (origin) { + // https://developer.mozilla.org/En/HTTP_Access_Control + headers['Access-Control-Allow-Origin'] = '*'; + + if (req.headers.cookie) { + headers['Access-Control-Allow-Credentials'] = 'true'; + } + } + this.authorize(handshakeData, function (err, authorized, newData) { if (err) return error(err); @@ -808,7 +819,7 @@ Manager.prototype.handleHandshake = function (data, req, res) { hs = 'io.j[' + data.query.jsonp + '](' + JSON.stringify(hs) + ');'; res.writeHead(200, { 'Content-Type': 'application/javascript' }); } else { - res.writeHead(200); + res.writeHead(200, headers); } res.end(hs); diff --git a/test/common.js b/test/common.js index e658f72693..fcd06fc251 100644 --- a/test/common.js +++ b/test/common.js @@ -59,6 +59,7 @@ HTTPClient.prototype.request = function (path, opts, fn) { opts.headers.Host = 'localhost'; opts.headers.Connection = 'keep-alive'; + var req = http.request(opts, function (res) { if (false === opts.buffer) return fn && fn(res); @@ -105,7 +106,6 @@ HTTPClient.prototype.end = function () { HTTPClient.prototype.get = function (path, opts, fn) { if ('function' == typeof opts) { fn = opts; - opts = {}; } opts = opts || {}; diff --git a/test/manager.test.js b/test/manager.test.js index 6b8319f85c..d2253495bb 100644 --- a/test/manager.test.js +++ b/test/manager.test.js @@ -472,6 +472,26 @@ module.exports = { }); }, + 'test handshake cross domain access control': function (done) { + var port = ++ports + , io = sio.listen(port) + , cl = client(port) + , headers = { + Origin: 'http://example.org:1337' + , Cookie: 'name=value' + }; + + cl.get('/socket.io/{protocol}/', { headers:headers }, function (res, data) { + res.statusCode.should.eql(200); + res.headers['access-control-allow-origin'].should.eql('*'); + res.headers['access-control-allow-credentials'].should.eql('true'); + + cl.end(); + io.server.close(); + done(); + }); + }, + 'test limiting the supported transports for a manager': function (done) { var port = ++ports , io = sio.listen(port) From a8c61b0001861fd3c36bac2c45f5b43c5558ab48 Mon Sep 17 00:00:00 2001 From: Arnout Kazemier Date: Wed, 10 Aug 2011 22:57:25 +0200 Subject: [PATCH 2/3] undo --- test/common.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/common.js b/test/common.js index fcd06fc251..8137ee501b 100644 --- a/test/common.js +++ b/test/common.js @@ -59,7 +59,6 @@ HTTPClient.prototype.request = function (path, opts, fn) { opts.headers.Host = 'localhost'; opts.headers.Connection = 'keep-alive'; - var req = http.request(opts, function (res) { if (false === opts.buffer) return fn && fn(res); @@ -106,6 +105,7 @@ HTTPClient.prototype.end = function () { HTTPClient.prototype.get = function (path, opts, fn) { if ('function' == typeof opts) { fn = opts; + opts = {} } opts = opts || {}; From e269fcaf0d418a51a8e27ecf7cde9ef1889754ac Mon Sep 17 00:00:00 2001 From: Arnout Kazemier Date: Wed, 10 Aug 2011 22:58:13 +0200 Subject: [PATCH 3/3] Fixed semicolon --- test/common.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/common.js b/test/common.js index 8137ee501b..e658f72693 100644 --- a/test/common.js +++ b/test/common.js @@ -105,7 +105,7 @@ HTTPClient.prototype.end = function () { HTTPClient.prototype.get = function (path, opts, fn) { if ('function' == typeof opts) { fn = opts; - opts = {} + opts = {}; } opts = opts || {};