Skip to content

2.4.1
Compare
Choose a tag to compare
@darrachequesne darrachequesne released this 07 Jan 10:34
· 189 commits to master since this release
2.4.1
e6b8697
This commit was signed with the committer’s verified signature.
darrachequesne Damien Arrachequesne
GPG key ID: 544D14663E7F7CF0
Learn about vigilant mode.

This release reverts the breaking change introduced in 2.4.0 (f78a575).

If you are using Socket.IO v2, you should explicitly allow/disallow cross-origin requests:

  • without CORS (server and client are served from the same domain):
const io = require("socket.io")(httpServer, {
  allowRequest: (req, callback) => {
    callback(null, req.headers.origin === undefined); // cross-origin requests will not be allowed
  }
});
  • with CORS (server and client are served from distinct domains):
io.origins(["http://localhost:3000"]); // for local development
io.origins(["https://example.com"]);

In any case, please consider upgrading to Socket.IO v3, where this security issue is now fixed (CORS is disabled by default).

Reverts

  • fix(security): do not allow all origins by default (a169050)

Links:

  • Diff: 2.4.0...2.4.1
  • Client release: -
  • engine.io version: ~3.5.0
  • ws version: ~7.4.2
Assets 2