2.4.1
版本发布时间: 2021-01-07 18:34:03
socketio/socket.io最新发布版本:2.5.1(2024-06-19 17:36:33)
This release reverts the breaking change introduced in 2.4.0 (https://github.com/socketio/socket.io/commit/f78a575f66ab693c3ea96ea88429ddb1a44c86c7).
If you are using Socket.IO v2, you should explicitly allow/disallow cross-origin requests:
- without CORS (server and client are served from the same domain):
const io = require("socket.io")(httpServer, {
allowRequest: (req, callback) => {
callback(null, req.headers.origin === undefined); // cross-origin requests will not be allowed
}
});
- with CORS (server and client are served from distinct domains):
io.origins(["http://localhost:3000"]); // for local development
io.origins(["https://example.com"]);
In any case, please consider upgrading to Socket.IO v3, where this security issue is now fixed (CORS is disabled by default).
Reverts
- fix(security): do not allow all origins by default (a169050)
Links:
- Diff: https://github.com/socketio/socket.io/compare/2.4.0...2.4.1
- Client release: -
- engine.io version:
~3.5.0 - ws version:
~7.4.2