Add documentation about origin policy.

This commit is contained in:
Gary Burd 2014-10-12 09:34:51 -07:00
parent a6f041ac33
commit 87f6f6a22e
1 changed files with 25 additions and 0 deletions

25
doc.go
View File

@ -117,4 +117,29 @@
// } // }
// } // }
// } // }
//
// Origin Considerations
//
// Web browsers allow Javascript applications to open a WebSocket connection to
// any host. It's up to the server to enforce an origin policy using the Origin
// request header sent by the browser.
//
// The Upgrader calls the function specified in the CheckOrigin field to check
// the origin. If the CheckOrigin function returns false, then the Upgrade
// method fails the WebSocket handshake with HTTP status 403.
//
// If the CheckOrigin field is nil, then the Upgrader uses a safe default: fail
// the handshake if the Origin request header is present and not equal to the
// Host request header.
//
// An application can allow connections from any origin by specifying a
// function that always returns true:
//
// var upgrader = websocket.Upgrader{
// CheckOrigin: func(r *http.Request) bool { return true },
// }
//
// The deprecated Upgrade function does enforce an origin policy. It's the
// application's responsibility to check the Origin header before calling
// Upgrade.
package websocket package websocket