Add option to disable CORS headers

[bshamblen]

A relatively minor change to optionally disable the CORS headers.

Testing process

The following is refactored, but similar to the block of code that Meteor uses to set up sockjs in their ddp-server package.

Copy/paste the following code into the tests/test_server/server.js file, overwriting the contents of the existing file:

var http = require('http');
var config = require('./config').config;
var sockjs = require('../../index');

var open_sockets = [];
var server = http.createServer();

var serverOptions = {
  prefix: '/sockjs',
  log: function() {},
  disable_cors: false, //change this setting to test
  heartbeat_delay: 45000,
  disconnect_delay: 60 * 1000,
  jsessionid: false
};

var meteor = sockjs.createServer(serverOptions);

meteor.on('connection', function (socket) {
  socket.send = function (data) {
    socket.write(data);
  };
  socket.on('close', function () {
    //open_sockets = _.without(open_sockets, socket);
  });
  open_sockets.push(socket);
  socket.send(JSON.stringify({server_id: "0"}));
});

meteor.installHandlers(server, {prefix: '/sockjs'});
server.listen(config.port, config.host);

console.log("[*] Listening on", config.host + ':' + config.port);

Run npm install and make test_server from the root folder of the project.

Open your browser and navigate to http://localhost:8081/sockjs/info. This will verify the old version of the info data is still returned.

Open another window and navigate to http://jsfiddle.net/bshamblen/4m118rbg/, then run the script. This will verify that you're able to load the info page from another domain.

Now, change the disable_cors option to true and restart the server.

Reload both pages above. The direct load of the page should not return the options key in the JSON body, but it should load, since it's not being called from another domain. The jsfiddle script should return an error, and the developer console should show that the CORS headers are missing.

Please let me know if you have any questions, or need me to make any adjustments.

[bshamblen]

Fixes #217

[bshamblen]

@brycekahle Just checking to see if there's anything you need from me before this PR can be merged. Thanks.

[leo-cheron]

Could we merge that? That would fix a huge security risk.

[ALeschinsky]

Yes please! We need this for our project.

[IncoCode]

👍

[brycekahle]

Can you change domain to origin?

[peshi]

'know' ?

[brycekahle]

No need to include the target. Let's not presume we know what the user wants.

[bshamblen]

@brycekahle I've modified the documentation to include the requested changes. Thanks!

[lnader]

@brycekahle - Change requests have been done. Can we please merge this PR?