Related blog post: https://socket.io/blog/socket-io-2-4-0/
Features (from Engine.IO)
Bug Fixes
- security: do not allow all origins by default (f78a575)
- properly overwrite the query sent in the handshake (d33a619)
⚠️ BREAKING CHANGE ⚠️
Previously, CORS was enabled by default, which meant that a Socket.IO server sent the necessary CORS headers (Access-Control-Allow-xxx) to any domain. This will not be the case anymore, and you now have to explicitly enable it.
Please note that you are not impacted if:
- you are using Socket.IO v2 and the
originsoption to restrict the list of allowed domains - you are using Socket.IO v3 (disabled by default)
This commit also removes the support for '*' matchers and protocol-less URL:
io.origins('https://example.com:443'); => io.origins(['https://example.com']);
io.origins('localhost:3000'); => io.origins(['http://localhost:3000']);
io.origins('http://localhost:*'); => io.origins(['http://localhost:3000']);
io.origins('*:3000'); => io.origins(['http://localhost:3000']);
To restore the previous behavior (please use with caution):
io.origins((_, callback) => {
callback(null, true);
});See also:
- https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS
- https://socket.io/docs/v3/handling-cors/
- https://socket.io/docs/v3/migrating-from-2-x-to-3-0/#CORS-handling
Thanks a lot to @ni8walk3r for the security report.
Links:
- Milestone: 2.4.0
- Diff: 2.3.0...2.4.0
- Client release: 2.4.0
- engine.io version:
~3.5.0 - ws version:
~7.4.2