秋田预测市场 · Discord 审计

Ghibli参与话题 1消息总数 6

该用户的聊天记录定位。

Reset

聊天记录

共 6 条,显示第 1-6 条

We don't want to take on an additional dependency if we don't have to (see: supply chain attacks). We don't need anything else provided by gorilla/websocket, the built-in library works for us in terms of features and functionality. is it expected that there's inconsistent behavior between the handling of `Origin` headers in the production websocket API endpoint and demo websocket API endpoint?

We don't want to take on an additional dependency if we don't have to (see: supply chain attacks). We don't need anything else provided by gorilla/websocket, the built-in library works for us in terms of features and functionality. is it expected that there's inconsistent behavior between the handling of `Origin` headers in the production websocket API endpoint and demo websocket API endpoint?

Ghibli 2026-07-09 06:44:49 Kalshi

That's a different library - we're using https://pkg.go.dev/golang.org/x/net/websocket The library in the code block above is github.com/gorilla/websocket

That's a different library - we're using https://pkg.go.dev/golang.org/x/net/websocket The library in the code block above is github.com/gorilla/websocket

When connecting to the websocket API, if an `Origin:` header is set then the websocket API returns a forbidden HTTP status code. The demo environment does not demonstrate this behavior. This is a bit problematic for us because the default golang websocket library sets this header: https://cs.opensource.google/go/x/net/+/refs/tags/v0.56.0:websocket/hybi.go;l=418 1) Maybe there's a valid Origin value that we can set that will not trigger a forbidden in production? 2) It would be helpful to keep the behavior in sync between demo and production websocket environments so that they both either return a forbidden or don't, when the header is set Thanks!

When connecting to the websocket API, if an `Origin:` header is set then the websocket API returns a forbidden HTTP status code. The demo environment does not demonstrate this behavior. This is a bit problematic for us because the default golang websocket library sets this header: https://cs.opensource.google/go/x/net/+/refs/tags/v0.56.0:websocket/hybi.go;l=418 1) Maybe there's a valid Origin value that we can set that will not trigger a forbidden in production? 2) It would be helpful to keep the behavior in sync between demo and production websocket environments so that they both either return a forbidden or don't, when the header is set Thanks!