Documentation for the Same Origin security policy

miguelgrinberg · Jul 29, 2019 · 5b58794 · 5b58794
1 parent e54dc12
commit 5b58794
Show file tree

Hide file tree

Showing 3 changed files with 22 additions and 2 deletions.
diff --git a/docs/server.rst b/docs/server.rst
@@ -610,3 +610,23 @@ multiple servers the following conditions must be met:
 - The load balancer must be configured to always forward requests from a client
   to the same process. Load balancers call this *sticky sessions*, or
   *session affinity*.
+
+Cross-Origin Controls
+---------------------
+
+For security reasons, this server enforces a same-origin policy by default. In
+practical terms, this means the following:
+
+- If an incoming HTTP or WebSocket request includes the ``Origin`` header,
+  this header must match the scheme and host of the connection URL. In case
+  of a mismatch, a 400 status code response is returned and the connection is
+  rejected.
+- No restrictions are imposed on incoming requests that do not include the
+  ``Origin`` header.
+
+If necessary, the ``cors_allowed_origins`` option can be used to allow other
+origins. This argument can be set to a string to set a single allowed origin, or
+to a list to allow multiple origins. A special value of ``'*'`` can be used to
+instruct the server to allow all origins, but this should be done with care, as
+this could make the server vulnerable to Cross-Site Request Forgery (CSRF)
+attacks.
diff --git a/engineio/asyncio_server.py b/engineio/asyncio_server.py
@@ -38,7 +38,7 @@ class AsyncServer(server.Server):
     :param cookie: Name of the HTTP cookie that contains the client session
                    id. If set to ``None``, a cookie is not sent to the client.
     :param cors_allowed_origins: Origin or list of origins that are allowed to
-                                 connect to this server. Only the same server
+                                 connect to this server. Only the same origin
                                  is allowed by default. Set this argument to
                                  ``'*'`` to allow all origins.
     :param cors_credentials: Whether credentials (cookies, authentication) are

diff --git a/engineio/server.py b/engineio/server.py
@@ -48,7 +48,7 @@ class Server(object):
                    id. If set to ``None``, a cookie is not sent to the client.
                    The default is ``'io'``.
     :param cors_allowed_origins: Origin or list of origins that are allowed to
-                                 connect to this server. Only the same server
+                                 connect to this server. Only the same origin
                                  is allowed by default. Set this argument to
                                  ``'*'`` to allow all origins.
     :param cors_credentials: Whether credentials (cookies, authentication) are