CORS issue

[lotuspolarbear]

Hi, I'd like to set only trusted origins to the socket server so it won't be exposed to any origins.

I usde $io->origins to allow the requests from my domain but it is still being exposed to any domains.
Here's my code.

$io = new SocketIO(2020, $context);
$io->origins('https://mydomain.com:*');
$io->on('workerStart', function()use($io){
$io->adapter('\PHPSocketIO\ChannelAdapter');
});

Are there any ways to fix the CORS issue with/without using $io->origins ?

Thank you!

[walkor]

It works fine for me.

$sender_io = new SocketIO(2120);
$sender_io->origins('http://127.0.0.1:*');

When I changed $sender_io->origins('http://127.0.0.1:*'); to $sender_io->origins('http://128.0.0.1:*');

[lotuspolarbear]

Hi, thanks for your response.

Yeah, it returns 403 on my end as well but the response has Access-Control-Allow-Origin value.

Here's what I got.

The vulnerability scan result still says socket.io is exposed to any origin.

I don't want the Access-Control-Allow-Credentials and Access-Control-Allow-Origin to come back as a response.

Any ideas?

Thank you!

[lotuspolarbear]

Instead of the 403 Forbidden error, is it possible to send a 404 Page Not Found error?

[walkor]

Not support send 404 page error. 发自我的iPhone

…

------------------ Original ------------------ From: Polar Bear ***@***.***> Date: Mon,Jun 14,2021 2:22 AM To: walkor/phpsocket.io ***@***.***> Cc: walkor ***@***.***>, Comment ***@***.***> Subject: Re: [walkor/phpsocket.io] CORS issue (#264) Instead of the 403 Forbidden error, is it possible to send a 404 Page Not Found error? — You are receiving this because you commented. Reply to this email directly, view it on GitHub, or unsubscribe.

[lotuspolarbear]

I think it's possible if I modify the sendErrorMessage() function in /src/Engine/Engine.php?

[walkor]

Yes

[lotuspolarbear]

Thank you!