Join GitHub today
GitHub is home to over 50 million developers working together to host and review code, manage projects, and build software together.Sign up
GitHub is where the world builds software
Millions of developers and companies build, ship, and maintain their software on GitHub — the largest and most advanced development platform in the world.
x/net/websocket: WebSocket listener should not require Origin request header #6361
The WebSocket hander rejects an incoming connection if the HTTP request does not include an "Origin" header. This is contrary to the spec; the Origin header is only necessary if the request came from a web browser: "The request MUST include a header field with the name |Origin| [RFC6454] if the request is coming from a browser client. If the connection is from a non-browser client, the request MAY include this header field if the semantics of that client match the use-case described here for browser clients." -- RFC 6455, section 4.1, item #8: In my use case the request is coming from an application that's not a browser, and there's no meaningful value for this header. I have to set it to an arbitrary value of "http://localhost"; to work around this bug. What steps will reproduce the problem? 1. Run the WebSocket handler example shown in the package documentation: http://godoc.org/code.google.com/p/go.net/websocket#example-Handler 2. Telnet to its port and send the following data: GET /echo HTTP/1.1 Host: localhost:12345 Sec-WebSocket-Version: 13 Upgrade: websocket Sec-WebSocket-Key: oyPxhvkIKpUZSD9Bv9I5xg== Connection: Upgrade What is the expected output? HTTP/1.1 101 Switching Protocols What do you see instead? HTTP/1.1 400 Bad Request (If a line "Origin: http://localhost"; is added to the request, the expected response appears.) Which compiler are you using (5g, 6g, 8g, gccgo)? "go" command Which operating system are you using? Mac OS X 10.9 Which version are you using? (run 'go version') 1.1.1 Please provide any additional information below.
After reading through the package docs more thoroughly, I found this comment on the Handler type: "Handler is a simple interface to a WebSocket browser client. It checks if Origin header is valid URL by default. ... if you want to accept non-browser client, which doesn't send Origin header, you could use Server . that doesn't check origin in its Handshake." So while I think the docs could be more up-front about this, it's not an error in the code.