Documentation for the Same Origin security policy

6 years ago · 045188c63d
2 changed files with 21 additions and 1 deletions
--- a/docs/server.rst
+++ b/docs/server.rst
@ -823,3 +823,23 @@ multiple servers, the following conditions must be met:
 - The worker processes need to communicate with each other to coordinate
  complex operations such as broadcasts. This is done through a configured
  message queue. See the section on using message queues for details.
+
+Cross-Origin Controls
+---------------------
+
+For security reasons, this server enforces a same-origin policy by default. In
+practical terms, this means the following:
+
+- If an incoming HTTP or WebSocket request includes the ``Origin`` header,
+  this header must match the scheme and host of the connection URL. In case
+  of a mismatch, a 400 status code response is returned and the connection is
+  rejected.
+- No restrictions are imposed on incoming requests that do not include the
+  ``Origin`` header.
+
+If necessary, the ``cors_allowed_origins`` option can be used to allow other
+origins. This argument can be set to a string to set a single allowed origin, or
+to a list to allow multiple origins. A special value of ``'*'`` can be used to
+instruct the server to allow all origins, but this should be done with care, as
+this could make the server vulnerable to Cross-Site Request Forgery (CSRF)
+attacks.
--- a/setup.py
+++ b/setup.py
@ -30,7 +30,7 @@ setup(
    platforms='any',
    install_requires=[
        'six>=1.9.0',
-        'python-engineio>=3.8.0,<3.9.0'
+        'python-engineio>=3.9.0'
    ],
    extras_require={
        'client': [