Comments (15)
from signalr.
Are we still doing this for 0.4?
from signalr.
+1
from signalr.
+1
from signalr.
+1
from signalr.
+1
Don't really need JSONP solution.
<add name="Access-Control-Allow-Origin"
solution in web.config is fine.
However the /signalr/hubs script should be more flexible, the url /signalr shouldn't be hardcoded
from signalr.
@Zyphrax you can change it via $.connection.hub.url
there isn't a good default other than the relative path and that works for 90% of the cases
from signalr.
+1
from signalr.
+1
from signalr.
This was implemented as a contribution (Thanks @codeputty).
To make this work with Persistent connections:
var connection = $.connection('http://somecrossdomainurl/echo')
connection.start({ transport: 'longPolling', xdomain: true });
We may tweak the api (i.e try to autodetect so you don't need to specify longpolling) but this is the current implementation.
from signalr.
Thanks for this! Does this mean though that xdomain only works with long polling and no other transport protocol? If so, is it technically possible for it to work with other protocols?
from signalr.
This feature is specifically about long polling. Other protocols aren't supported. You can check out CORS for an alternative to jsonp longpolling:
http://en.wikipedia.org/wiki/Cross-Origin_Resource_Sharing
http://stackoverflow.com/questions/9984534/signalr-cross-domain-connections
from signalr.
The CORS solution is working quite well. It becomes problematic when you have signalr on a subdomain, more than one subdomain using it and using cookies.
The specification says that you can specify multiple domains for Access-Control-Allow-Origin, but that doesn't seem to work when you have Access-Control-Allow-Credentials set to true (for cookie support).
My workaround is (in Global.asax.cs of my SignalR hubs MVC website):
/// <summary>
/// Raises when the application processes a request.
/// </summary>
protected void Application_BeginRequest(object sender, EventArgs e) {
string origin = Request.Headers["Origin"];
Uri uri;
// Validate the Request origin
if (Uri.TryCreate(origin, UriKind.Absolute, out uri) &&
uri.Host.EndsWith(FormsAuthentication.CookieDomain)) {
Response.AddHeader("Access-Control-Allow-Origin", uri.Scheme + "://" + uri.Authority);
Response.AddHeader("Access-Control-Allow-Credentials", "true");
}
}
Another nice resource for CORS:
http://enable-cors.org/
from signalr.
In AspNetHandler.cs I see that you've implemented it like this:
// https://developer.mozilla.org/En/HTTP_Access_Control
string origin = context.Request.Headers["Origin"];
if (!String.IsNullOrEmpty(origin))
{
context.Response.AddHeader("Access-Control-Allow-Origin", origin);
context.Response.AddHeader("Access-Control-Allow-Credentials", "true");
}
This seems quite insecure. Now all origins are allowed. If you have a look at my code above you see that I compare the origin against the cookie domain. Could you implement something similar?
EDIT - one extra thing to note:
It would be better to somehow overwrite the Access-Control-Allow-Origin, instead of using AddHeader. Now if you have the Access-Control-Allow-Origin defined in your web.config, you'll end up with both values being sent to the client. Which will fail in almost all browsers (I think only Firefox supports that).
from signalr.
Insecure? Websockets has the same behavior as this by default. Also any
other random non browser client can call your service so im not sure
what you're protecting.
Also socket.io does the same. We want the experience to be as similar
to websockets as possible. If you have valid security concerns or
concrete evidence that what we're doing is insecure then I'd love to
know.
Sent from my Windows Phone
From: Zyphrax
Sent: 7/25/2012 3:19 AM
To: David Fowler
Subject: Re: [SignalR] Add support for X-domain long-polling with JSONP
(#6)
In AspNetHandler.cs I see that you've implemented it like this:
// https://developer.mozilla.org/En/HTTP_Access_Control
string origin = context.Request.Headers["Origin"];
if (!String.IsNullOrEmpty(origin))
{
context.Response.AddHeader("Access-Control-Allow-Origin", origin);
context.Response.AddHeader("Access-Control-Allow-Credentials", "true");
}
This seems quite insecure. Now all origins are allowed. If you have a
look at my code above you see that I compare the origin against the
cookie domain. Could you implement something similar?
Reply to this email directly or view it on GitHub:
#6 (comment)
from signalr.
Related Issues (20)
- AspNetCore.SignalR.Client package on Server side produces error 500 when clients connect to the Server HOT 1
- SignalR: The server returned status code '200' when status code '101' was expected HOT 1
- Fallback on network blocking HOT 1
- Are all servers supposed to receive calls to server-side methods when using Redis backplane?
- Invicti Enterprise detected Possible Cross-site Scripting HOT 2
- HubConnection.Error handler is not called on connection error
- SignalR Configuration On Proxy DNS Server For NGINX HOT 1
- Android java client - RuntimeException: Invocation provides 1 argument(s) but target expects 0. HOT 1
- Intermittent failure to receive messages during e2e testing in github workflow HOT 1
- TopicLookup memory leak HOT 5
- Error: Connection disconnected with error 'Error: WebSocket closed with status code: 1006 (no reason given) HOT 1
- Only one output binding is supported when using a binding assigned to '$return' HOT 1
- Ping from browser to ASP.Net application stops when the tab browser is not the active one
- SignalR not supporting self-signed certificates HOT 8
- SignalR C# client and deserialize using JsonSerializerContext (source generator)
- Arbitrarily disable a specific client or all
- Question: Can we use SignalR client for binance or other socket endpoints for stocks information? HOT 1
- Failed to invoke 'xxx' due to an error on the server. HOT 1
- Issue with Microsoft.AspNet.SignalR.Client hanging/crashing app after app being in background for 10 + minutes
- g
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from signalr.