Add same origin support to SockJS and WebSocket [SPR-12697]

**[Sébastien Deleuze](https://jira.spring.io/secure/ViewProfile.jspa?name=sdeleuze)** opened **[SPR-12697](https://jira.spring.io/browse/SPR-12697?redirect=false)** and commented

Simplified support for "same origin" requests for SockJS and WebSocket makes sense for a lot of use cases. But we can't just rely on the lack of `Origin` header to identify same origin requests, since for example Chrome provides it even for same origin AJAX requests.

As proposed by [Rob Winch](https://jira.spring.io/secure/ViewProfile.jspa?name=rwinch), we should support a smart "same origin" check that compares `Origin` header to `Host` header. A possible implementation is available in this [Gist](https://gist.github.com/sdeleuze/a522ef9096b03737e553). This check should be added to both `AbstractSockJSService` and `OriginHandshakeInterceptor`.

You can see the impact on supported browsers when this mode is enabled in this [browser support matrix](https://docs.google.com/spreadsheets/d/1nmrUh3wl5bsEGFK6jjagikd2SoQ7OIxZ-DlhCbSwnEM/edit?usp=sharing).

---

**Reference URL:** https://gist.github.com/sdeleuze/a522ef9096b03737e553

**Issue Links:**
- #17284 Change SockJS default to allowing same origin only (_**"is depended on by"**_)
- #17260 AbstractSockJsService.checkAndAddCorsHeaders fails for same origin requests when setAllowedOrigins is set



Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Add same origin support to SockJS and WebSocket [SPR-12697] #17294

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Add same origin support to SockJS and WebSocket [SPR-12697] #17294

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions