From 40c8f7c23ca0327d5444f9785773098d7eff5768 Mon Sep 17 00:00:00 2001
From: Brian Lukoff <brian.lukoff@gmail.com>
Date: Mon, 25 Sep 2023 13:44:51 -0500
Subject: [PATCH 1/3] Add environment variable to disable CORS in sockjs.

---
 packages/ddp-server/stream_server.js | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/packages/ddp-server/stream_server.js b/packages/ddp-server/stream_server.js
index 49c0f1385d0..3b06bd3471b 100644
--- a/packages/ddp-server/stream_server.js
+++ b/packages/ddp-server/stream_server.js
@@ -50,6 +50,9 @@ StreamServer = function () {
     // combining CPU-heavy processing with SockJS termination (eg a proxy which
     // converts to Unix sockets) but for now, raise the delay.
     disconnect_delay: 60 * 1000,
+    // Allow disabling of CORS requests to address
+    // https://github.com/meteor/meteor/issues/8317.
+    disable_cors: !!process.env.DISABLE_SOCKJS_CORS
     // Set the USE_JSESSIONID environment variable to enable setting the
     // JSESSIONID cookie. This is useful for setting up proxies with
     // session affinity.

From b144f7627955e1a2c32b95f89e4df48eec6bb702 Mon Sep 17 00:00:00 2001
From: Brian Lukoff <brian.lukoff@gmail.com>
Date: Mon, 25 Sep 2023 13:45:44 -0500
Subject: [PATCH 2/3] Fix typo.

---
 packages/ddp-server/stream_server.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/packages/ddp-server/stream_server.js b/packages/ddp-server/stream_server.js
index 3b06bd3471b..bda04141302 100644
--- a/packages/ddp-server/stream_server.js
+++ b/packages/ddp-server/stream_server.js
@@ -52,7 +52,7 @@ StreamServer = function () {
     disconnect_delay: 60 * 1000,
     // Allow disabling of CORS requests to address
     // https://github.com/meteor/meteor/issues/8317.
-    disable_cors: !!process.env.DISABLE_SOCKJS_CORS
+    disable_cors: !!process.env.DISABLE_SOCKJS_CORS,
     // Set the USE_JSESSIONID environment variable to enable setting the
     // JSESSIONID cookie. This is useful for setting up proxies with
     // session affinity.

From 9db182c980dee5916216d547fc36cc09abb50a17 Mon Sep 17 00:00:00 2001
From: Brian Lukoff <brian.lukoff@gmail.com>
Date: Tue, 26 Sep 2023 11:20:29 -0500
Subject: [PATCH 3/3] Add documentation for environment variable.

---
 docs/source/environment-variables.md | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/docs/source/environment-variables.md b/docs/source/environment-variables.md
index 807851ac474..d9555b64845 100644
--- a/docs/source/environment-variables.md
+++ b/docs/source/environment-variables.md
@@ -33,6 +33,11 @@ In the event that your own deployment platform does not support WebSockets, or y
 
 Set `DISABLE_SOCKJS=1` if you want to use the native WebSocket implementation instead of SockJS on the client side, for example, if you want to use a custom WebSocket implementation (e.g. [uWebSockets.js](https://github.com/uNetworking/uWebSockets.js/)) on the server side.
 
+## DISABLE_SOCKJS_CORS
+(_development, production_)
+
+Set `DISABLE_SOCKJS_CORS=1` if you want to prevent SockJS from setting CORS headers from being set by SockJS. Do not set this option if you will have DDP clients from other origins connecting to the DDP server.
+
 ## HTTP_FORWARDED_COUNT
 (_production_)