Skip to content

2.4.0

Compare
Choose a tag to compare
@darrachequesne darrachequesne released this 04 Jan 23:39
· 189 commits to master since this release
873fdc5

Related blog post: https://socket.io/blog/socket-io-2-4-0/

Features (from Engine.IO)

  • add support for all cookie options (19cc582)
  • disable perMessageDeflate by default (5ad2736)

Bug Fixes

  • security: do not allow all origins by default (f78a575)
  • properly overwrite the query sent in the handshake (d33a619)

⚠️ BREAKING CHANGE ⚠️

Previously, CORS was enabled by default, which meant that a Socket.IO server sent the necessary CORS headers (Access-Control-Allow-xxx) to any domain. This will not be the case anymore, and you now have to explicitly enable it.

Please note that you are not impacted if:

  • you are using Socket.IO v2 and the origins option to restrict the list of allowed domains
  • you are using Socket.IO v3 (disabled by default)

This commit also removes the support for '*' matchers and protocol-less URL:

io.origins('https://example.com:443'); => io.origins(['https://example.com']);
io.origins('localhost:3000');          => io.origins(['http://localhost:3000']);
io.origins('http://localhost:*');      => io.origins(['http://localhost:3000']);
io.origins('*:3000');                  => io.origins(['http://localhost:3000']);

To restore the previous behavior (please use with caution):

io.origins((_, callback) => {
  callback(null, true);
});

See also:

Thanks a lot to @ni8walk3r for the security report.

Links: