Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

x/net/websocket: WebSocket listener should not require Origin request header #6361

Closed
gopherbot opened this issue Sep 11, 2013 · 6 comments
Closed

Comments

@gopherbot
Copy link

@gopherbot gopherbot commented Sep 11, 2013

by Jens.Alfke:

The WebSocket hander rejects an incoming connection if the HTTP request does not include
an "Origin" header. This is contrary to the spec; the Origin header is only
necessary if the request came from a web browser:

        "The request MUST include a header field with the name |Origin|
        [RFC6454] if the request is coming from a browser client.  If
        the connection is from a non-browser client, the request MAY
        include this header field if the semantics of that client match
        the use-case described here for browser clients."
        -- RFC 6455, section 4.1, item #8:

In my use case the request is coming from an application that's not a browser, and
there's no meaningful value for this header. I have to set it to an arbitrary value of
"http://localhost"; to work around this bug.

What steps will reproduce the problem?
1. Run the WebSocket handler example shown in the package documentation:
http://godoc.org/code.google.com/p/go.net/websocket#example-Handler
2. Telnet to its port and send the following data:

GET /echo HTTP/1.1
Host: localhost:12345
Sec-WebSocket-Version: 13
Upgrade: websocket
Sec-WebSocket-Key: oyPxhvkIKpUZSD9Bv9I5xg==
Connection: Upgrade


What is the expected output?

HTTP/1.1 101 Switching Protocols

What do you see instead?

HTTP/1.1 400 Bad Request

(If a line "Origin: http://localhost"; is added to the request, the expected
response appears.)

Which compiler are you using (5g, 6g, 8g, gccgo)?
"go" command


Which operating system are you using?
Mac OS X 10.9

Which version are you using?  (run 'go version')
1.1.1

Please provide any additional information below.
@gopherbot
Copy link
Author

@gopherbot gopherbot commented Sep 11, 2013

Comment 1 by Jens.Alfke:

After reading through the package docs more thoroughly, I found this comment on the
Handler type:
"Handler is a simple interface to a WebSocket browser client. It checks if Origin header
is valid URL by default. ...  if you want to accept non-browser client, which doesn't
send Origin header, you could use Server . that doesn't check origin in its Handshake."
So while I think the docs could be more up-front about this, it's not an error in the
code.
@robpike
Copy link
Contributor

@robpike robpike commented Sep 13, 2013

Comment 2:

Labels changed: added priority-later, documentation, removed priority-triage.

Status changed to Accepted.

@rsc
Copy link
Contributor

@rsc rsc commented Nov 27, 2013

Comment 3:

Labels changed: added go1.3maybe.

@rsc
Copy link
Contributor

@rsc rsc commented Dec 4, 2013

Comment 4:

Labels changed: added release-none, removed go1.3maybe.

@rsc
Copy link
Contributor

@rsc rsc commented Dec 4, 2013

Comment 5:

Labels changed: added repo-net.

@mikioh mikioh changed the title go.net/websocket: WebSocket listener should not require Origin request header x/net/websocket: WebSocket listener should not require Origin request header Dec 23, 2014
@mikioh mikioh added repo-net and removed repo-net labels Dec 23, 2014
@mikioh mikioh changed the title x/net/websocket: WebSocket listener should not require Origin request header websocket: WebSocket listener should not require Origin request header Jan 4, 2015
@mikioh
Copy link
Contributor

@mikioh mikioh commented Mar 7, 2015

Merged into #10102.

@mikioh mikioh closed this Mar 7, 2015
@mikioh mikioh changed the title websocket: WebSocket listener should not require Origin request header x/net/websocket: WebSocket listener should not require Origin request header Jul 30, 2015
@mikioh mikioh modified the milestone: Unreleased Jul 30, 2015
@golang golang locked and limited conversation to collaborators Aug 5, 2016
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
4 participants
You can’t perform that action at this time.