From d4c2fc3bc8f5b96feb932d17169820746e025be1 Mon Sep 17 00:00:00 2001 From: Julian Lam Date: Thu, 23 Feb 2017 11:54:46 -0500 Subject: [PATCH] closes #5472 --- src/socket.io/index.js | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/src/socket.io/index.js b/src/socket.io/index.js index 58e31a78ea..f4732d9d9e 100644 --- a/src/socket.io/index.js +++ b/src/socket.io/index.js @@ -33,6 +33,28 @@ Sockets.init = function (server) { io.on('connection', onConnection); + /* + * Restrict socket.io listener to cookie domain. If none is set, infer based on url. + * Production only so you don't get accidentally locked out. + * Can be overridden via config (socket.io:origins) + */ + if (process.env.NODE_ENV !== 'development') { + var domain = nconf.get('cookieDomain'); + var parsedUrl = url.parse(nconf.get('url')); + var override = nconf.get('socket.io:origins'); + if (!domain) { + domain = parsedUrl.hostname; // cookies don't provide isolation by port: http://stackoverflow.com/a/16328399/122353 + } + + if (!override) { + io.set('origins', parsedUrl.protocol + '//' + domain + ':*'); + winston.info('[socket.io] Restricting access to origin: ' + parsedUrl.protocol + '//' + domain + ':*'); + } else { + io.set('origins', override); + winston.info('[socket.io] Restricting access to origin: ' + override); + } + } + io.listen(server, { transports: nconf.get('socket.io:transports') });