-
Notifications
You must be signed in to change notification settings - Fork 301
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
WebSocket Dial Handshake 403 When Connecting to Server Written Using x/net/websocket #461
Comments
This turned out to be because we weren't sending any Origin header at all. I had originally followed the example in the readme, here: ctx, cancel := context.WithTimeout(context.Background(), time.Minute)
defer cancel()
c, _, err := websocket.Dial(ctx, "ws://localhost:8080", nil)
if err != nil {
// ...
}
defer c.CloseNow()
err = wsjson.Write(ctx, c, "hi")
if err != nil {
// ...
}
c.Close(websocket.StatusNormalClosure, "") However, when written like this, no Origin header is sent. On the server side we're using labstack/echo, which has CORS configured to accept any Origin: e.Use(middleware.CORSWithConfig(middleware.CORSConfig{
AllowOrigins: []string{"*"},
AllowMethods: []string{http.MethodGet, http.MethodPut, http.MethodPost, http.MethodDelete},
})) Despite setting this, this results in a 403 during the handshake due to the lack of Origin header. The reason this didn't happen with x/net/websocket is because the I also opened an issue on the |
I think your problem is with |
That does seem to be the source of the issue. Since this library is designed to be easy to use in place of the official |
We have a simplistic example websocket server written using this boilerplate in the labstack echo cookbook: https://echo.labstack.com/docs/cookbook/websocket#server
It's currently using
x/net/websocket
. On the client side that connects to this example server, I tried to swap out ourx/net/websocket
implementation fornhooyr/websocket
, but whenwebsocket.Dial
is called, the handshake fails with this 403 error. I'm not sure why this is, as the default CORS forecho
is to allow everything and if I swap back to the dialer inx/net/websocket
, it works fine. Just in case, I've tried to provide a custom HTTP client with a custom transport that setsInsecureSkipVerify: true
via theDialOptions
, but this also did not work.The text was updated successfully, but these errors were encountered: