-
Randall Leeds authored
Rather than using the cross site request forgery token in the URL for the WebSocket, check the HTTP Origin header. All spec-compliant user agents send a proper Origin header so this is sufficient to protect users from malicious cross-site access to the WebSocket. As a consequence, the front-end code to bootstrap the streamer can be simplified. The streamer no longer has any provider. Its URL and transport are passed explicitly to the ``open`` method. While I was here, I added support for the ``protocols`` argument to the ``open`` method, added support for the ``onopen`` and ``onclose`` handlers, set the client identifier on the ``$http`` service default headers, aligned the state constants with the standard ones, and ensured that the socket cannot be closed twice.
041a6dff