diff --git a/package-lock.json b/package-lock.json
index c94500986d..e4f8e9e702 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -44351,7 +44351,7 @@
         "lodash": "^4.17.21",
         "proxy-addr": "^2.0.7",
         "request": "^2.88.2",
-        "socket.io": "github:overleaf/socket.io#0.9.19-overleaf-11",
+        "socket.io": "github:overleaf/socket.io#0.9.19-overleaf-12",
         "socket.io-client": "github:overleaf/socket.io-client#0.9.17-overleaf-5"
       },
       "devDependencies": {
diff --git a/services/real-time/app.js b/services/real-time/app.js
index 38cb3caec4..4b8e894e8e 100644
--- a/services/real-time/app.js
+++ b/services/real-time/app.js
@@ -91,6 +91,11 @@ io.configure(function () {
     )
 
     io.set('origins', function (origin, req) {
+      if (!origin) {
+        // There is no origin or referer header - this is likely a same-site request.
+        logger.warn({ req }, 'No origin or referer header')
+        return true
+      }
       const normalizedOrigin = URL.parse(origin).origin
       const originIsValid = allowedCorsOriginsRegex.test(normalizedOrigin)
 
diff --git a/services/real-time/package.json b/services/real-time/package.json
index 2d5f87a109..a52e0dfcf9 100644
--- a/services/real-time/package.json
+++ b/services/real-time/package.json
@@ -34,7 +34,7 @@
     "lodash": "^4.17.21",
     "proxy-addr": "^2.0.7",
     "request": "^2.88.2",
-    "socket.io": "github:overleaf/socket.io#0.9.19-overleaf-11",
+    "socket.io": "github:overleaf/socket.io#0.9.19-overleaf-12",
     "socket.io-client": "github:overleaf/socket.io-client#0.9.17-overleaf-5"
   },
   "devDependencies": {