Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add same origin support to SockJS and WebSocket [SPR-12697] #17294

spring-issuemaster opened this issue Feb 6, 2015 · 0 comments


None yet
2 participants
Copy link

commented Feb 6, 2015

Sébastien Deleuze opened SPR-12697 and commented

Simplified support for "same origin" requests for SockJS and WebSocket makes sense for a lot of use cases. But we can't just rely on the lack of Origin header to identify same origin requests, since for example Chrome provides it even for same origin AJAX requests.

As proposed by Rob Winch, we should support a smart "same origin" check that compares Origin header to Host header. A possible implementation is available in this Gist. This check should be added to both AbstractSockJSService and OriginHandshakeInterceptor.

You can see the impact on supported browsers when this mode is enabled in this browser support matrix.

Reference URL:

Issue Links:

  • #17284 Change SockJS default to allowing same origin only ("is depended on by")
  • #17260 AbstractSockJsService.checkAndAddCorsHeaders fails for same origin requests when setAllowedOrigins is set
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.