From d4c2fc3bc8f5b96feb932d17169820746e025be1 Mon Sep 17 00:00:00 2001
From: Julian Lam <julian@nodebb.org>
Date: Thu, 23 Feb 2017 11:54:46 -0500
Subject: [PATCH] closes #5472

---
 src/socket.io/index.js | 22 ++++++++++++++++++++++
 1 file changed, 22 insertions(+)

diff --git a/src/socket.io/index.js b/src/socket.io/index.js
index 58e31a78ea..f4732d9d9e 100644
--- a/src/socket.io/index.js
+++ b/src/socket.io/index.js
@@ -33,6 +33,28 @@ Sockets.init = function (server) {
 
 	io.on('connection', onConnection);
 
+	/*
+	 * Restrict socket.io listener to cookie domain. If none is set, infer based on url.
+	 * Production only so you don't get accidentally locked out.
+	 * Can be overridden via config (socket.io:origins)
+	 */
+	if (process.env.NODE_ENV !== 'development') {
+		var domain = nconf.get('cookieDomain');
+		var parsedUrl = url.parse(nconf.get('url'));
+		var override = nconf.get('socket.io:origins');
+		if (!domain) {
+			domain = parsedUrl.hostname;	// cookies don't provide isolation by port: http://stackoverflow.com/a/16328399/122353
+		}
+
+		if (!override) {
+			io.set('origins', parsedUrl.protocol + '//' + domain + ':*');
+			winston.info('[socket.io] Restricting access to origin: ' + parsedUrl.protocol + '//' + domain + ':*');
+		} else {
+			io.set('origins', override);
+			winston.info('[socket.io] Restricting access to origin: ' + override);
+		}
+	}
+
 	io.listen(server, {
 		transports: nconf.get('socket.io:transports')
 	});