Remove the example code to disable origin checks from the documentation.
I am concerned that developers are copying the code without
understanding the security implications of the code. Most applications
should not use this code.
Change the bad origin error message to mention Upgrader.CheckOrigin
Mention cross-site request forgery in the Upgrader.CheckOrigin doc.
Change the error text for bad handshake errors from
websocket: not a websocket handshake:
to:
websocket: the client is not using the websocket protocol:
The new text should be more helpful to developers who do not know or
understand the details of the protocol.
Test for bad handshake before other request errors.
Reuse the buffer backing the bufio.Writer returned from hijack if that
buffer is large enough to be generally useful and
Upgrader.WriteBufferSize == 0.
Update the logic for reusing bufio.Reader returned from hijack to match
the logic for bufio.Reader: The buffer backing the reader must be
sufficiently large to be generally useful and Upgrader.ReadBufferSize ==
0.
Improve the documentation for ReadBufferSize and WriterBufferSize in
Dialer and Upgrader.
Upgrade typically fails because the request is not a handshake, not
because the handshake is malformed. To help developers diagnose the
common case, state explicitly that the request is not a handshake in
error messages.
To help diagnose malformed requests, capitalize and 'quote' header names
in error messages.
Update the error messages for missing 'Connection: upgrade' and
'Upgrade: websocket' tokens to indicate that the header might not be
present. The previous error message implied that the header is present,
but has the wrong value. This leads to some confusion for those
debugging connection problems.
Update the default origin test to treat no origin specified as OK. If
the client can create a request without the origin set, then the client
can also create a request with an arbitrary origin.
- Revert back to using Subprotocols []string. The protocol negotiation
using Subprotocols should meet the needs of most applications.
Applications are not locked into using this negotiation. An
application can pick a protocol some other way and specify the
protocol using the Sec-Websocket-Protocol response header.
- Parse the origin using url.Parse. This is the correct function to use
when parsing a full URL.
- Improve comments.
- Introduce ReadMessage and WriteMessage before NextReader and
NextWriter in the package comment. It's better to introduce the easy
methods first.
- Move sections on message of types before the concurrency section.