[fix] [#465] [#418] Revert PR for now

ptaoussanis · ptaoussanis · commit c79b95a23a9c · 2025-06-25T18:59:47.000+02:00
Temporarily revert commit 8810cd2 since it looks like that change might cause problems with some browser + server combos (e.g. Chrome + http-kit).
diff --git a/src/taoensso/sente.cljc b/src/taoensso/sente.cljc
@@ -369,8 +369,6 @@
   (allow-origin? #{"http://site.com"} {:headers {"referer" "http://attacker.com/"}})
   (allow-origin? #{"http://site.com"} {:headers {"referer" "http://site.com.attacker.com/"}}))
 
-(def ^:private sente-csrf-token-prefix "sente-csrf-token-")
-
 (defn make-channel-socket-server!
   "Takes a web server adapter[1] and returns a map with keys:
 
@@ -635,21 +633,6 @@
           ;; undefined):
           nil)
 
-        sente-csrf-token-pred
-        (fn [s]
-          (when (str/starts-with? s sente-csrf-token-prefix)
-            (subs s (count sente-csrf-token-prefix))))
-
-        ws-csrf-token
-        (fn [ring-req]
-          (let [headers (get ring-req :headers)]
-            (when-let [ws? (= "websocket"  (get headers "upgrade") )]
-              (let [sec-websocket-protocol (get headers "sec-websocket-protocol")
-                    protocol-vals
-                    (when (string? sec-websocket-protocol)
-                      (str/split   sec-websocket-protocol #", *"))]
-                (enc/rsome sente-csrf-token-pred protocol-vals)))))
-
         bad-csrf?
         (fn [ring-req]
           (if (nil? csrf-token-fn) ; Provides a way to disable CSRF check
@@ -659,8 +642,7 @@
                     (or
                       (get-in ring-req [:params    :csrf-token])
                       (get-in ring-req [:headers "x-csrf-token"])
-                      (get-in ring-req [:headers "x-xsrf-token"])
-                      (ws-csrf-token ring-req))]
+                      (get-in ring-req [:headers "x-xsrf-token"]))]
 
                 (not
                   (enc/const-str=
@@ -1334,8 +1316,7 @@
                   (enc/oget @?node-npm-websocket_ "w3cwebsocket"))]
 
        (delay
-         (let [protocols (get headers :sec-websocket-protocol)
-               socket    (WebSocket. uri-str protocols)]
+         (let [socket (WebSocket. uri-str)]
            (doto socket
              (aset "onerror"   on-error)
              (aset "onmessage" on-message) ; Nb receives both push & cb evs!
@@ -1588,20 +1569,13 @@
                           {:on-error   on-error
                            :on-message on-message
                            :on-close   on-close
-                           :headers
-                           (update headers :sec-websocket-protocol
-                             (fn [x]
-                               (let [csrf-token
-                                     (str    sente-csrf-token-prefix
-                                       (get-client-csrf-token-str :dynamic (:csrf-token @state_)))]
-                                 (cond
-                                   (string? x)      [x csrf-token]
-                                   (coll?   x) (conj x csrf-token)
-                                   :else               csrf-token))))
-
+                           :headers    headers
                            :uri-str
                            (enc/merge-url-with-query-string url
-                             (assoc params :client-id client-id))}))
+                             (merge params ; 1st (don't clobber impl.):
+                               {:client-id  client-id
+                                :csrf-token (get-client-csrf-token-str :dynamic
+                                              (:csrf-token @state_))}))}))
 
                       (catch #?(:clj Throwable :cljs :default) t
                         (timbre/errorf t "Error creating WebSocket client")
