How to set Cross domain origin?

[gunsluo]

in AcceptOptions struct, I found the InsecureSkipVerify field and set it equal to true. but all clients can connect to the WebSocket server, it includes illegal clients. in gorilla have CheckOrigin. but there is no the same method. (AcceptOrigins and add AcceptInsecureOrigin is removed in the current version).

	// InsecureSkipVerify disables Accept's origin verification behaviour. By default,
	// the connection will only be accepted if the request origin is equal to the request
	// host.
	//
	// This is only required if you want javascript served from a different domain
	// to access your WebSocket server.
	//
	// See https://stackoverflow.com/a/37837709/4283659
	//
	// Please ensure you understand the ramifications of enabling this.
	// If used incorrectly your WebSocket server will be open to CSRF attacks.
	InsecureSkipVerify bool

@nhooyr How to set origin like gorilla's CheckOrigin? Looking forward to your reply, appreciate it. Thanks.

[nhooyr]

Hi @gunsluo

You'd verify the Origin header yourself before accepting the WebSocket.

This is how the default works: https://github.com/nhooyr/websocket/blob/c62c0dcc9318d1ad612613d433ec90d7c34378dc/accept.go#L168

You'd want the same except you'd verify against your domain in https://github.com/nhooyr/websocket/blob/c62c0dcc9318d1ad612613d433ec90d7c34378dc/accept.go#L175 instead of r.Host.

[nhooyr]

I'll add an example for this.

[nhooyr]

See https://godoc.org/nhooyr.io/websocket#example-package--CrossOrigin

[gunsluo]

@nhooyr thanks. sorry for reply later. in fact, we use the same method. I expect WebSocket to provide a configurable item.

[nhooyr]

I agree, let's add it as I think it is a common use case.

How about OriginDomains []string to DialOpts?

[nhooyr]

Please review #198