GitHub/ergo
3
0
Fork 0
mirror of https://github.com/ergochat/ergo.git synced 2024-11-22 11:59:40 +01:00
Code Issues Projects Releases Wiki Activity

comment for CheckOrigin

Browse Source
This commit is contained in:
Edmund Huber 2015-06-06 14:05:29 -07:00
parent 0d1c63396b
commit 23d7c81684
1 changed files with 9 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
irc/websocket.go
View File

@ -10,6 +10,15 @@ import (
var upgrader = websocket.Upgrader{
ReadBufferSize: 1024,
WriteBufferSize: 1024,
/* If a WS session contains sensitive information, and you choose to use
cookies for authentication (during the HTTP(S) upgrade request), then
you should check that Origin is a domain under your control. If it
isn't, then it is possible for users of your site, visiting a naughty
Origin, to have a WS opened using their credentials. See
http://www.christian-schneider.net/CrossSiteWebSocketHijacking.html#main.
We don't care about Origin because the (IRC) authentication is contained
in the WS stream -- the WS session is not privileged when it is opened.
*/
CheckOrigin: func(r *http.Request) bool { return true },
}