Last post May 31, 2013 07:39 AM by cwt237
May 28, 2013 09:54 AM|cwt237|LINK
I am looking for a way to add a custom HTTP header on $connection.start();
It is doable in the .NET client (via connection.Headers.Add), but does not seem to be exposed in JS client?
From https://github.com/SignalR/SignalR/issues/270 it seems that this should be possible at some point (but I cannot see that from jquery.signalR-1.1.1.js). I have been looking for pending issues
(stating if this is 'on the way' or not).
I would prefer not to use the qs option (as both .NET clients and JS clients should be treated equally server side, and e.g. with variations of OAUTH it makes sense to use custom headers).
May 30, 2013 04:17 AM|rstrahl|LINK
I ran into the same thing. As far as I can tell there's no workaround for this, although I think it's been discussed that this might be added in the future.
I ended up passing the value I needed (in this case an Auth token) in the querystring and that works just fine.
It shouldn't really matter since you don't really control the URL anyway. Other than an ugly Http trace nobody will ever see this on an Address bar or address these links directly via REST calls. The esoterics just don't matter and it's no less secure on
the qs compared to a header - it's truly an internal implementation detail, IMHO.
+++ Rick ---
May 30, 2013 08:45 AM|davidfowl|LINK
The problem is that browser's websocket client doesn't allow custom headers to be set so it's not possible to make this work across transports.
May 31, 2013 07:39 AM|cwt237|LINK
Thanks for that info.
It just feels hacky to add e.g. a security token in the querystring (as opposed to a header), because of lack of features in the web socket implementation in the browsers.
Even with SSL/WSS the querystring may be stored in log files (in clear text, e.g. web server logs), it could be added as a favorite, or given as referrer headers. The last two possibilities should not be an issue with SignalR, but the first one is.