|
|
@@ -117,4 +117,29 @@
|
|
|
// }
|
|
|
// }
|
|
|
// }
|
|
|
+//
|
|
|
+// Origin Considerations
|
|
|
+//
|
|
|
+// Web browsers allow Javascript applications to open a WebSocket connection to
|
|
|
+// any host. It's up to the server to enforce an origin policy using the Origin
|
|
|
+// request header sent by the browser.
|
|
|
+//
|
|
|
+// The Upgrader calls the function specified in the CheckOrigin field to check
|
|
|
+// the origin. If the CheckOrigin function returns false, then the Upgrade
|
|
|
+// method fails the WebSocket handshake with HTTP status 403.
|
|
|
+//
|
|
|
+// If the CheckOrigin field is nil, then the Upgrader uses a safe default: fail
|
|
|
+// the handshake if the Origin request header is present and not equal to the
|
|
|
+// Host request header.
|
|
|
+//
|
|
|
+// An application can allow connections from any origin by specifying a
|
|
|
+// function that always returns true:
|
|
|
+//
|
|
|
+// var upgrader = websocket.Upgrader{
|
|
|
+// CheckOrigin: func(r *http.Request) bool { return true },
|
|
|
+// }
|
|
|
+//
|
|
|
+// The deprecated Upgrade function does enforce an origin policy. It's the
|
|
|
+// application's responsibility to check the Origin header before calling
|
|
|
+// Upgrade.
|
|
|
package websocket
|
Gary Burd