Happy New Year everyone!

We just published a new minor version in the 2.x branch!

Please note that this release contains a breaking change regarding Cross-Origin Resource Sharing (CORS).

UPDATE: this change was reverted in 2.4.1, because it did not follow semantic versioning and broke some deployments (discussed here). Please make sure you are properly securing your application, and upgrade to Socket.IO v3 as soon as possible.

Previously, CORS was enabled by default, which meant that a Socket.IO server sent the necessary CORS headers (Access-Control-Allow-xxx) to any domain. This will not be the case anymore, and you now have to explicitly enable it.

Please note that you are not impacted if:

  • you are using Socket.IO v2 and the origins option to restrict the list of allowed domains
  • you are using Socket.IO v3 (disabled by default)

This change also removes the support for ‘*’ matchers and protocol-less URL:

io.origins('https://example.com:443'); => io.origins(['https://example.com']);
io.origins('localhost:3000'); => io.origins(['http://localhost:3000']);
io.origins('http://localhost:*'); => io.origins(['http://localhost:3000']);
io.origins('*:3000'); => io.origins(['http://localhost:3000']);

To restore the previous behavior (please use with caution):

io.origins((_, callback) => {
callback(null, true);

A big thanks to @ni8walk3r for the detailed security report.

See also:


  • add support for all cookie options (19cc582)
  • disable perMessageDeflate by default (5ad2736)

Bug Fixes

  • security: do not allow all origins by default (f78a575)
  • properly overwrite the query sent in the handshake (d33a619)

Stay safe!

Caught a mistake? Edit this page on GitHub