From 87f6f6a22ebfbc3f89b9ccdc7fddd1b914c095f9 Mon Sep 17 00:00:00 2001
From: Gary Burd <gary@beagledreams.com>
Date: Sun, 12 Oct 2014 09:34:51 -0700
Subject: [PATCH] Add documentation about origin policy.

---
 doc.go | 25 +++++++++++++++++++++++++
 1 file changed, 25 insertions(+)

diff --git a/doc.go b/doc.go
index efde3dc..798de9c 100644
--- a/doc.go
+++ b/doc.go
@@ -117,4 +117,29 @@
 //          }
 //      }
 //  }
+//
+// Origin Considerations
+//
+// Web browsers allow Javascript applications to open a WebSocket connection to
+// any host. It's up to the server to enforce an origin policy using the Origin
+// request header sent by the browser.
+//
+// The Upgrader calls the function specified in the CheckOrigin field to check
+// the origin. If the CheckOrigin function returns false, then the Upgrade
+// method fails the WebSocket handshake with HTTP status 403.
+//
+// If the CheckOrigin field is nil, then the Upgrader uses a safe default: fail
+// the handshake if the Origin request header is present and not equal to the
+// Host request header.
+//
+// An application can allow connections from any origin by specifying a
+// function that always returns true:
+//
+//    var upgrader = websocket.Upgrader{
+//      CheckOrigin: func(r *http.Request) bool { return true },
+//   }
+//
+// The deprecated Upgrade function does enforce an origin policy. It's the
+// application's responsibility to check the Origin header before calling
+// Upgrade.
 package websocket