mirror of
https://github.com/gogrlx/nats-server.git
synced 2026-04-17 03:24:40 -07:00
da91b06218
There are 2 options, same_origin and allowed_origins that should apply only to webbrowsers that set the Origin http header. If the header is not present, the server should not fail direct clients using websocket protocol, or leafnodes. From spec: https://datatracker.ietf.org/doc/html/rfc6455#section-1.6 The WebSocket Protocol uses the origin model used by web browsers to restrict which web pages can contact a WebSocket server when the WebSocket Protocol is used from a web page. Naturally, when the WebSocket Protocol is used by a dedicated client directly (i.e., not from a web page through a web browser), the origin model is not useful, as the client can provide any arbitrary origin string. Resolves #2207 Signed-off-by: Ivan Kozlovic <ivan@synadia.com>
113 KiB
113 KiB