Skip to content
Permalink

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: socketio/socket.io Loading
base: 2.3.0
Choose a base ref
...
head repository: socketio/socket.io Loading
compare: 2.4.0
Choose a head ref
  • 5 commits
  • 9 files changed
  • 2 contributors

Commits on Jan 4, 2021

  1. ci: migrate to GitHub Actions 

    Due to the recent changes to the Travis CI platform (see [1]), we will
now use GitHub Actions to run the tests.

Reference: https://docs.github.com/en/free-pro-team@latest/actions/guides/building-and-testing-nodejs

[1]: https://blog.travis-ci.com/2020-11-02-travis-ci-new-billing
    @darrachequesne
    darrachequesne committed Jan 4, 2021
    Configuration menu
    Copy the full SHA
    6fa026f View commit details
    Browse the repository at this point in the history

  2. chore: bump engine.io version 

    Diff: socketio/engine.io@3.4.2...3.5.0
    @darrachequesne
    darrachequesne committed Jan 4, 2021
    Configuration menu
    Copy the full SHA
    3951a79 View commit details
    Browse the repository at this point in the history

  3. fix: properly overwrite the query sent in the handshake 

    The `query` option of the Manager had the priority over the one of the
Socket instance, which meant updating the Socket#query object on the
client-side was not reflected in the Socket#handshake object on the
server-side.

Please note that the behavior of the `query` option is still a bit
weird in Socket.IO v2, as it only applies to non-default namespace.
This is fixed in v3:

- https://socket.io/docs/v3/migrating-from-2-x-to-3-0/#Add-a-clear-distinction-between-the-Manager-query-option-and-the-Socket-query-option
- https://socket.io/docs/v3/middlewares/#Sending-credentials

Fixes #3495
    @sebamarynissen @darrachequesne
    sebamarynissen authored and darrachequesne committed Jan 4, 2021
    Configuration menu
    Copy the full SHA
    d33a619 View commit details
    Browse the repository at this point in the history

  4. fix(security): do not allow all origins by default 

    BREAKING CHANGE: previously, all origins were allowed by default, which
meant that a Socket.IO server sent the necessary CORS headers
(`Access-Control-Allow-xxx`) to any domain by default.

Please note that you are not impacted if:

- you are using Socket.IO v2 and the `origins` option to restrict the list of allowed domains
- you are using Socket.IO v3 (disabled by default)

This commit also removes the support for '*' matchers and protocol-less
URL:

```
io.origins('https://example.com:443'); => io.origins(['https://example.com']);
io.origins('localhost:3000');          => io.origins(['http:https://localhost:3000']);
io.origins('http:https://localhost:*');      => io.origins(['http:https://localhost:3000']);
io.origins('*:3000');                  => io.origins(['http:https://localhost:3000']);
```

To restore the previous behavior (please use with caution):

```js
io.origins((_, callback) => {
  callback(null, true);
});
```

See also:

- https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS
- https://socket.io/docs/v3/handling-cors/
- https://socket.io/docs/v3/migrating-from-2-x-to-3-0/#CORS-handling

Thanks a lot to https://github.com/ni8walk3r for the security report.
    @darrachequesne
    darrachequesne committed Jan 4, 2021
    1 Configuration menu
    Copy the full SHA
    f78a575 View commit details
    Browse the repository at this point in the history

  5. chore(release): 2.4.0 

    Diff: 2.3.0...2.4.0
    @darrachequesne
    darrachequesne committed Jan 4, 2021
    Configuration menu
    Copy the full SHA
    873fdc5 View commit details
    Browse the repository at this point in the history
Loading