Skip to content

Commit

Permalink
Documentation for the Same Origin security policy
Browse files Browse the repository at this point in the history
  • Loading branch information
miguelgrinberg committed Jul 29, 2019
1 parent e54dc12 commit 5b58794
Show file tree
Hide file tree
Showing 3 changed files with 22 additions and 2 deletions.
20 changes: 20 additions & 0 deletions docs/server.rst
Original file line number Diff line number Diff line change
Expand Up @@ -610,3 +610,23 @@ multiple servers the following conditions must be met:
- The load balancer must be configured to always forward requests from a client
to the same process. Load balancers call this *sticky sessions*, or
*session affinity*.

Cross-Origin Controls
---------------------

For security reasons, this server enforces a same-origin policy by default. In
practical terms, this means the following:

- If an incoming HTTP or WebSocket request includes the ``Origin`` header,
this header must match the scheme and host of the connection URL. In case
of a mismatch, a 400 status code response is returned and the connection is
rejected.
- No restrictions are imposed on incoming requests that do not include the
``Origin`` header.

If necessary, the ``cors_allowed_origins`` option can be used to allow other
origins. This argument can be set to a string to set a single allowed origin, or
to a list to allow multiple origins. A special value of ``'*'`` can be used to
instruct the server to allow all origins, but this should be done with care, as
this could make the server vulnerable to Cross-Site Request Forgery (CSRF)
attacks.
2 changes: 1 addition & 1 deletion engineio/asyncio_server.py
Original file line number Diff line number Diff line change
Expand Up @@ -38,7 +38,7 @@ class AsyncServer(server.Server):
:param cookie: Name of the HTTP cookie that contains the client session
id. If set to ``None``, a cookie is not sent to the client.
:param cors_allowed_origins: Origin or list of origins that are allowed to
connect to this server. Only the same server
connect to this server. Only the same origin
is allowed by default. Set this argument to
``'*'`` to allow all origins.
:param cors_credentials: Whether credentials (cookies, authentication) are
Expand Down
2 changes: 1 addition & 1 deletion engineio/server.py
Original file line number Diff line number Diff line change
Expand Up @@ -48,7 +48,7 @@ class Server(object):
id. If set to ``None``, a cookie is not sent to the client.
The default is ``'io'``.
:param cors_allowed_origins: Origin or list of origins that are allowed to
connect to this server. Only the same server
connect to this server. Only the same origin
is allowed by default. Set this argument to
``'*'`` to allow all origins.
:param cors_credentials: Whether credentials (cookies, authentication) are
Expand Down

0 comments on commit 5b58794

Please sign in to comment.