Add documentation about origin policy.

2014-10-12 09:34:51 -07:00 · 2014-10-12 09:34:51 -07:00 · 87f6f6a22e
parent a6f041ac33
commit 87f6f6a22e
1 changed files with 25 additions and 0 deletions
--- a/doc.go
+++ b/doc.go
@ -117,4 +117,29 @@
 //          }
 //      }
 //  }
+//
+// Origin Considerations
+//
+// Web browsers allow Javascript applications to open a WebSocket connection to
+// any host. It's up to the server to enforce an origin policy using the Origin
+// request header sent by the browser.
+//
+// The Upgrader calls the function specified in the CheckOrigin field to check
+// the origin. If the CheckOrigin function returns false, then the Upgrade
+// method fails the WebSocket handshake with HTTP status 403.
+//
+// If the CheckOrigin field is nil, then the Upgrader uses a safe default: fail
+// the handshake if the Origin request header is present and not equal to the
+// Host request header.
+//
+// An application can allow connections from any origin by specifying a
+// function that always returns true:
+//
+//    var upgrader = websocket.Upgrader{
+//      CheckOrigin: func(r *http.Request) bool { return true },
+//   }
+//
+// The deprecated Upgrade function does enforce an origin policy. It's the
+// application's responsibility to check the Origin header before calling
+// Upgrade.
 package websocket