Giters

socketio / engine.io-client

The engine used in the Socket.IO JavaScript client, which manages the low-level transports such as HTTP long-polling, WebSocket and WebTransport.

Home Page:https://socket.io

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Security risk in xhr.status if response is spoofed

christopher-kiss opened this issue · comments

commented

Note: for support questions, please use one of these channels: stackoverflow or slack

You want to:

  • report a bug
  • request a feature

Current behaviour

If status is not 200 or 1223, the status is passed straight into the error handler which is then propagated out to socket 'connect_error' handlers provided by developers.

Steps to reproduce (if the current behaviour is a bug)

Use XHR polling transport type
Intercept the http request and spoof the response for status to an invalid value.

Expected behaviour

Error handler should always return a valid status code which is of type number.

https://developer.mozilla.org/en-US/docs/Web/API/XMLHttpRequest/status

Setup

  • OS: any
  • browser: any
  • engine.io version: 2.1.1

Other information (e.g. stacktraces, related issues, suggestions how to fix)