|
@@ -10,6 +10,15 @@ import (
|
10
|
10
|
var upgrader = websocket.Upgrader{
|
11
|
11
|
ReadBufferSize: 1024,
|
12
|
12
|
WriteBufferSize: 1024,
|
|
13
|
+ /* If a WS session contains sensitive information, and you choose to use
|
|
14
|
+ cookies for authentication (during the HTTP(S) upgrade request), then
|
|
15
|
+ you should check that Origin is a domain under your control. If it
|
|
16
|
+ isn't, then it is possible for users of your site, visiting a naughty
|
|
17
|
+ Origin, to have a WS opened using their credentials. See
|
|
18
|
+ http://www.christian-schneider.net/CrossSiteWebSocketHijacking.html#main.
|
|
19
|
+ We don't care about Origin because the (IRC) authentication is contained
|
|
20
|
+ in the WS stream -- the WS session is not privileged when it is opened.
|
|
21
|
+ */
|
13
|
22
|
CheckOrigin: func(r *http.Request) bool { return true },
|
14
|
23
|
}
|
15
|
24
|
|