Bring back the Origin header

Question

Bring back the Origin header

majek opened this issue 13 years ago · 1 comments

In SockJS 0.2.1 we removed the Origin header from the white list of not-terribly-bad headers that can be exposed to the app.

Apparently, there are some proper uses of that header - namely for logging. We should bring back this header, just clear it up for the iframe transports.

Answer 1 · 2012-03-26T15:35:27.000Z

Most likely I won't merge that changes. The approach I took is:

not fully functional (no way to get origin for jsonp)
hard to use (one would need to configure new option: public_urls)
hard to understand
not necessarily secure. (although I did my best to cover the most obvious issues, I'm not completely convinced that my solution is secure)