Permalink
Browse files

#50 - experimental branch on origin header

  • Loading branch information...
majek committed Mar 26, 2012
1 parent f10300e commit a5cbe35f49ba44c3a37eaaaa92b6aecd2fb666fc
Showing with 23 additions and 0 deletions.
  1. +6 −0 src/sockjs.coffee
  2. +4 −0 src/trans-eventsource.coffee
  3. +4 −0 src/trans-htmlfile.coffee
  4. +6 −0 src/trans-xhr.coffee
  5. +3 −0 src/transport.coffee
View
@@ -53,6 +53,11 @@ class App extends webjs.GenericApp
log: (severity, line) ->
@options.log(severity, line)
+ isTrustedOrigin: (url) ->
+ host = url.split('/')[2]
+ r = @options.public_urls.indexOf(host) isnt -1
+ console.log('isTrusted', host, r)
+ return r
utils.objectExtend(App.prototype, iframe.app)
utils.objectExtend(App.prototype, chunking_test.app)
@@ -127,6 +132,7 @@ class Server extends events.EventEmitter
prefix: ''
response_limit: 128*1024
origins: ['*:*']
+ public_urls: []
websocket: true
jsessionid: true
heartbeat_delay: 25000
@@ -19,5 +19,9 @@ exports.app =
# Opera needs one more new line at the start.
res.write('\r\n')
+ req.origin = if @isTrustedOrigin(req.headers.origin or \
+ 'any://' + req.headers.host) then \
+ req.query.origin
+
transport.register(req, @, new EventSourceReceiver(res, @options))
return true
@@ -43,5 +43,9 @@ exports.app =
res.writeHead(200)
res.write(iframe_template.replace(/{{ callback }}/g, callback));
+ req.origin = if @isTrustedOrigin(req.headers.origin or \
+ 'any://' + req.headers.host) then \
+ req.query.origin
+
transport.register(req, @, new HtmlFileReceiver(res, @options))
return true
View
@@ -66,6 +66,9 @@ exports.app =
res.setHeader('Content-Type', 'application/javascript; charset=UTF-8')
res.writeHead(200)
+ req.origin = if @isTrustedOrigin(req.headers.origin) then \
+ req.headers['x-sockjs-origin']
+
transport.register(req, @, new XhrPollingReceiver(res, @options))
return true
@@ -77,5 +80,8 @@ exports.app =
# http://blogs.msdn.com/b/ieinternals/archive/2010/04/06/comet-streaming-in-internet-explorer-with-xmlhttprequest-and-xdomainrequest.aspx
res.write(Array(2049).join('h') + '\n')
+ req.origin = if @isTrustedOrigin(req.headers.origin) then \
+ req.headers['x-sockjs-origin']
+
transport.register(req, @, new XhrStreamingReceiver(res, @options) )
return true
View
@@ -121,6 +121,9 @@ class Session
for key in ['referer', 'x-client-ip', 'x-forwarded-for', \
'x-cluster-client-ip', 'via', 'x-real-ip']
headers[key] = req.headers[key] if req.headers[key]
+ # Origin is much more complex and computed upfront:
+ headers['x-origin'] = req.origin or req.headers.origin or 'null'
+
if headers
@connection.headers = headers

0 comments on commit a5cbe35

Please sign in to comment.