branch: externals/websocket commit 28e55d565474af0f3ec7abb42daa4bc4a3ea2b4e Author: Andrew Hyatt <ahy...@gmail.com> Commit: Andrew Hyatt <ahy...@gmail.com>
Fix misuse of same-origin policy Due to a misapplication of the websocket RFC, we were sending the system name as the origin, instead of the hostname. It turns out that it should be fine not to even send the origin at all, since there's not a possibility of cross-origin issues with emacs. --- websocket-test.el | 6 +----- websocket.el | 2 -- 2 files changed, 1 insertion(+), 7 deletions(-) diff --git a/websocket-test.el b/websocket-test.el index e51d440069..442710bfdb 100644 --- a/websocket-test.el +++ b/websocket-test.el @@ -193,12 +193,10 @@ (websocket-negotiated-extensions ws-with-extensions))))) (ert-deftest websocket-create-headers () - (let ((system-name "mysystem") - (base-headers (concat "Host: www.example.com\r\n" + (let ((base-headers (concat "Host: www.example.com\r\n" "Upgrade: websocket\r\n" "Connection: Upgrade\r\n" "Sec-WebSocket-Key: key\r\n" - "Origin: mysystem\r\n" "Sec-WebSocket-Version: 13\r\n"))) (should (equal (concat base-headers "\r\n") (websocket-create-headers "ws://www.example.com/path" @@ -423,7 +421,6 @@ (upgrade "Upgrade: websocket") (key (format "Sec-Websocket-Key: %s" "key")) (version "Sec-Websocket-Version: 13") - (origin "Origin: origin") (protocol "Sec-Websocket-Protocol: protocol") (extensions1 "Sec-Websocket-Extensions: foo") (extensions2 "Sec-Websocket-Extensions: bar; baz=2") @@ -529,7 +526,6 @@ "Upgrade: websocket\r\n" "Connection: Upgrade\r\n" "Sec-WebSocket-Key: dGhlIHNhbXBsZSBub25jZQ==\r\n" - "Origin: http://example.com\r\n" "Sec-WebSocket-Protocol: chat, superchat\r\n" "Sec-WebSocket-Version: 13\r\n")))) (should header-info) diff --git a/websocket.el b/websocket.el index 72c1fd5dd0..a62c40b66a 100644 --- a/websocket.el +++ b/websocket.el @@ -856,7 +856,6 @@ These are defined as in `websocket-open'." "Upgrade: websocket\r\n" "Connection: Upgrade\r\n" "Sec-WebSocket-Key: %s\r\n" - "Origin: %s\r\n" "Sec-WebSocket-Version: 13\r\n" (when protocol (concat @@ -876,7 +875,6 @@ These are defined as in `websocket-open'." "\r\n") (url-host (url-generic-parse-url url)) key - system-name protocol)) (defun websocket-get-server-response (websocket client-protocols client-extensions)