fix Origin request options. #272

wants to merge 2 commits into


None yet
6 participants

some server will return 403 if Origin header is not a url.

here's the sample code that have the issue.

var WebSocket = require('ws'),
ws = new WebSocket('wss://');

ws.on('message', function() { console.log(arguments); });

@talrasha007 talrasha007 fix Origin request options.
some server will return 403 if Origin header is not a url.

sequoiar commented Dec 8, 2013

it should be

'Origin': (isSecure ? 'https://' : 'http://') + headerHost,


it should be 'Origin': (isSecure ? 'https://' : 'http://') + headerHost,



talrasha007 replied Dec 8, 2013

hmm, actually, it doesn't matter.
"Origin" header is to describe what site issues that request, It can be any valid site URI.

@dalejung dalejung added a commit to dalejung/nbx that referenced this pull request Mar 4, 2014

@dalejung dalejung disbale same origin policy for websockets. ws node.js doesn't send
proper Origin request header. websockets/ws#272

@dalejung dalejung added a commit to dalejung/ipy_node that referenced this pull request Mar 4, 2014

@dalejung dalejung WIP with kernel. ws does not send proper Origin. ebb2f0d

3rd-Eden commented Mar 28, 2014

I agree with @sequoiar here. It makes much more sense to make the protocol either fully configurable or make the protocol dependent on the protocol used in the connection string. As not every single server will just blindly accept HTTP origins.

SorJEF commented Dec 4, 2014

Wanna add some thoughts related to setting Origin header. Hope this helps

In the RFC6455 it is said that Origin header must be sent if a WebSocket connection is performed by browser and it MAY be sent by non-browser clients in some cases. So I think it is not the best way to send Origin header by default if it was not explicitly specified in the options.

Let me know if I need to open another issue for this discussion.

Here are the quotes and references from the RFC spec:

The request MUST include a header field with the name |Origin|[RFC6454] if the request is coming from a browser client. If the connection is from a non-browser client, the request MAY include this header field if the semantics of that client match the use-case described here for browser clients.

Additionally, if the client is a web browser, it supplies /origin/.

The WebSocket Protocol uses the origin model used by web browsers to restrict which web pages can contact a WebSocket server when the WebSocket Protocol is used from a web page. Naturally, when the WebSocket Protocol is used by a dedicated client directly (i.e., not from a web page through a web browser), the origin model is not useful, as the client can provide any arbitrary origin string.

This header field is sent by browser clients; for non-browser clients, this header field may be sent if it makes sense in the context of those clients.

The |Origin| header field [RFC6454] is used to protect against unauthorized cross-origin use of a WebSocket server by scripts using the WebSocket API in a web browser.


tuukka commented May 6, 2015

The merge of #494 resolved this issue.


lpinca commented Oct 15, 2016

Closing as #494 has been merged. Please comment or reopen if needed.

lpinca closed this Oct 15, 2016

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment