Documentation for the Same Origin security policy

Author: miguelgrinberg

docs/server.rst

@@ -823,3 +823,23 @@ multiple servers, the following conditions must be met:
 - The worker processes need to communicate with each other to coordinate
   complex operations such as broadcasts. This is done through a configured
   message queue. See the section on using message queues for details.
+
+Cross-Origin Controls
+---------------------
+
+For security reasons, this server enforces a same-origin policy by default. In
+practical terms, this means the following:
+
+- If an incoming HTTP or WebSocket request includes the ``Origin`` header,
+  this header must match the scheme and host of the connection URL. In case
+  of a mismatch, a 400 status code response is returned and the connection is
+  rejected.
+- No restrictions are imposed on incoming requests that do not include the
+  ``Origin`` header.
+
+If necessary, the ``cors_allowed_origins`` option can be used to allow other
+origins. This argument can be set to a string to set a single allowed origin, or
+to a list to allow multiple origins. A special value of ``'*'`` can be used to
+instruct the server to allow all origins, but this should be done with care, as
+this could make the server vulnerable to Cross-Site Request Forgery (CSRF)
+attacks.

setup.py

@@ -30,7 +30,7 @@
     platforms='any',
     install_requires=[
         'six>=1.9.0',
-        'python-engineio>=3.8.0,<3.9.0'
+        'python-engineio>=3.9.0'
     ],
     extras_require={
         'client': [