mirror of
https://github.com/ergochat/ergo.git
synced 2024-11-13 07:29:30 +01:00
comment for CheckOrigin
This commit is contained in:
parent
0d1c63396b
commit
23d7c81684
@ -10,6 +10,15 @@ import (
|
||||
var upgrader = websocket.Upgrader{
|
||||
ReadBufferSize: 1024,
|
||||
WriteBufferSize: 1024,
|
||||
/* If a WS session contains sensitive information, and you choose to use
|
||||
cookies for authentication (during the HTTP(S) upgrade request), then
|
||||
you should check that Origin is a domain under your control. If it
|
||||
isn't, then it is possible for users of your site, visiting a naughty
|
||||
Origin, to have a WS opened using their credentials. See
|
||||
http://www.christian-schneider.net/CrossSiteWebSocketHijacking.html#main.
|
||||
We don't care about Origin because the (IRC) authentication is contained
|
||||
in the WS stream -- the WS session is not privileged when it is opened.
|
||||
*/
|
||||
CheckOrigin: func(r *http.Request) bool { return true },
|
||||
}
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user