create-react-app
create-react-app copied to clipboard
facebook
Change Origin header on proxied WebSocket requests
Similar to CORS controls, WebSocket servers are often configured to check the Origin header of incoming requests. The config for the HTTP proxy overwrites requests' Origin header to prevent issues with CORS, but didn't previously do the same thing for WebSockets, as they are controlled by a different config key.
This Origin-limiting behaviour is recommended in RFC 6455 and is implemented in the Python websockets package, the Java websockets API and the Gorillas websocket package. I think it is common enough that c-r-a should support it out-of-the-box.
See https://github.com/treuherz/wstest for repro and test.
Fixes #10878
Hi @treuherz!
Thank you for your pull request and welcome to our community.
Action Required
In order to merge any pull request (code, docs, etc.), we require contributors to sign our Contributor License Agreement, and we don't seem to have one on file for you.
Process
In order for us to review and merge your suggested changes, please sign at https://code.facebook.com/cla. If you are contributing on behalf of someone else (eg your employer), the individual CLA may not be sufficient and your employer may need to sign the corporate CLA.
Once the CLA is signed, our tooling will perform checks and validations. Afterwards, the pull request will be tagged with CLA signed. The tagging process may take up to 1 hour after signing. Please give it that time before contacting us about it.
If you have received this in error or have any questions, please contact us at [email protected]. Thanks!
Thank you for signing our Contributor License Agreement. We can now accept your code for this (and any) Meta Open Source project. Thanks!
Looks like the previous fix wasn't sufficient to work in Chrome. I've added another change to fix it and have tested in Safari, Firefox and Chrome. I think this also now fixes #5280.