• Randall Leeds's avatar
    Refactor WebSocket origin security · 041a6dff
    Randall Leeds authored
    Rather than using the cross site request forgery token in the URL
    for the WebSocket, check the HTTP Origin header. All spec-compliant
    user agents send a proper Origin header so this is sufficient to
    protect users from malicious cross-site access to the WebSocket.
    
    As a consequence, the front-end code to bootstrap the streamer can
    be simplified. The streamer no longer has any provider. Its URL and
    transport are passed explicitly to the ``open`` method.
    
    While I was here, I added support for the ``protocols`` argument to
    the ``open`` method, added support for the ``onopen`` and ``onclose``
    handlers, set the client identifier on the ``$http`` service default
    headers, aligned the state constants with the standard ones, and
    ensured that the socket cannot be closed twice.
    041a6dff
controllers.coffee 8.3 KB