During a recent security scan of our production environment a potential CORS vulnerability was raised. It seems that sockjs automatically sets the Access-Control-Allow-Origin header to whatever the requesting domain is, if any sockjs path is referenced from another domain.

For example, if I request the URL https://www.meteor.com/sockjs/info from a jsfiddle script, the Access-Control-Allow-Origin value is set to https://fiddle.jshell.net, by sockjs.

After looking at your source code, I noticed a hard coded reference where the requesting origin header is being used to set the response Access-Control-Allow-Origin header :

https://github.com/sockjs/sockjs-node/blob/master/src/trans-xhr.coffee#L63

For security purposes our application should not allow cross origin access to any paths. Would it be possible to add an option to disable this default behavior, or even the option to disable CORS completely, for the sockjs paths?