socketio · rauchg · Sep 20, 2011 · Aug 10, 2011 · Aug 10, 2011 · Aug 10, 2011
diff --git a/lib/manager.js b/lib/manager.js
@@ -684,14 +684,18 @@ Manager.prototype.generateId = function () {
  */
 
 Manager.prototype.handleHandshake = function (data, req, res) {
-  var self = this;
+  var self = this
+    , origin = req.headers.origin
+    , headers = {
+        'Content-Type': 'text/plain'
+    };
 
   function writeErr (status, message) {
     if (data.query.jsonp) {
       res.writeHead(200, { 'Content-Type': 'application/javascript' });
       res.end('io.j[' + data.query.jsonp + '](new Error("' + message + '"));');
     } else {
-      res.writeHead(status, { 'Content-Type': 'text/plain' });
+      res.writeHead(status, headers);
       res.end(message);
     }
   };
@@ -708,6 +712,15 @@ Manager.prototype.handleHandshake = function (data, req, res) {
 
   var handshakeData = this.handshakeData(data);
 
+  if (origin) {
+    // https://developer.mozilla.org/En/HTTP_Access_Control
+    headers['Access-Control-Allow-Origin'] = '*';
+
+    if (req.headers.cookie) {
+      headers['Access-Control-Allow-Credentials'] = 'true';
+    }
+  }
+
   this.authorize(handshakeData, function (err, authorized, newData) {
     if (err) return error(err);
 
@@ -724,7 +737,7 @@ Manager.prototype.handleHandshake = function (data, req, res) {
         hs = 'io.j[' + data.query.jsonp + '](' + JSON.stringify(hs) + ');';
         res.writeHead(200, { 'Content-Type': 'application/javascript' });
       } else {
-        res.writeHead(200, { 'Content-Type': 'text/plain' });
+        res.writeHead(200, headers);
       }
 
       res.end(hs);

diff --git a/test/manager.test.js b/test/manager.test.js
@@ -327,6 +327,26 @@ module.exports = {
     });
   },
 
+  'test handshake cross domain access control': function (done) {
+    var port = ++ports
+      , io = sio.listen(port)
+      , cl = client(port)
+      , headers = {
+            Origin: 'http://example.org:1337'
+          , Cookie: 'name=value'
+        };
+
+    cl.get('/socket.io/{protocol}/', { headers:headers }, function (res, data) {
+      res.statusCode.should.eql(200);
+      res.headers['access-control-allow-origin'].should.eql('*');
+      res.headers['access-control-allow-credentials'].should.eql('true');
+
+      cl.end();
+      io.server.close();
+      done();
+    });
+  },
+
   'test limiting the supported transports for a manager': function (done) {
     var port = ++ports
       , io = sio.listen(port)