Skip to content

Commit 91f589d

Browse files
garyburdgaryburd
authored
Improve check origin documentation
Remove the example code to disable origin checks from the documentation. I am concerned that developers are copying the code without understanding the security implications of the code. Most applications should not use this code. Change the bad origin error message to mention Upgrader.CheckOrigin Mention cross-site request forgery in the Upgrader.CheckOrigin doc.
1 parent 292fd08 commit 91f589d

File tree

2 files changed

+9
-12
lines changed

2 files changed

+9
-12
lines changed

doc.go

Lines changed: 2 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -144,15 +144,8 @@
144144
// method fails the WebSocket handshake with HTTP status 403.
145145
//
146146
// If the CheckOrigin field is nil, then the Upgrader uses a safe default: fail
147-
// the handshake if the Origin request header is present and not equal to the
148-
// Host request header.
149-
//
150-
// An application can allow connections from any origin by specifying a
151-
// function that always returns true:
152-
//
153-
// var upgrader = websocket.Upgrader{
154-
// CheckOrigin: func(r *http.Request) bool { return true },
155-
// }
147+
// the handshake if the Origin request header is present and the Origin host is
148+
// not equal to the Host request header.
156149
//
157150
// The deprecated package-level Upgrade function does not perform origin
158151
// checking. The application is responsible for checking the Origin header

server.go

Lines changed: 7 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -44,8 +44,12 @@ type Upgrader struct {
4444
Error func(w http.ResponseWriter, r *http.Request, status int, reason error)
4545

4646
// CheckOrigin returns true if the request Origin header is acceptable. If
47-
// CheckOrigin is nil, the host in the Origin header must not be set or
48-
// must match the host of the request.
47+
// CheckOrigin is nil, then a safe default is used: return false if the
48+
// Origin request header is present and the origin host is not equal to
49+
// request Host header.
50+
//
51+
// A CheckOrigin function should carefully validate the request origin to
52+
// prevent cross-site request forgery.
4953
CheckOrigin func(r *http.Request) bool
5054

5155
// EnableCompression specify if the server should attempt to negotiate per
@@ -131,7 +135,7 @@ func (u *Upgrader) Upgrade(w http.ResponseWriter, r *http.Request, responseHeade
131135
checkOrigin = checkSameOrigin
132136
}
133137
if !checkOrigin(r) {
134-
return u.returnError(w, r, http.StatusForbidden, "websocket: 'Origin' header value not allowed")
138+
return u.returnError(w, r, http.StatusForbidden, "websocket: request origin not allowed by Upgrader.CheckOrigin")
135139
}
136140

137141
challengeKey := r.Header.Get("Sec-Websocket-Key")

0 commit comments

Comments
 (0)