From 0b1f56eabf8299a8b02f5ec642da3a6c68eb4ee4 Mon Sep 17 00:00:00 2001
From: Andrew Rumble <andrew.rumble@overleaf.com>
Date: Wed, 14 May 2025 12:59:59 +0100
Subject: [PATCH] Allow an empty origin request in real-time

This will only happen with a same-origin request (or if someone has
tampered with the request - in which case they could set anything).

Co-authored-by: Tim Down <158919+timdown@users.noreply.github.com>
GitOrigin-RevId: 9dfe49f974a476bfe215768d3984dd60a381d37a
---
 package-lock.json               | 2 +-
 services/real-time/app.js       | 5 +++++
 services/real-time/package.json | 2 +-
 3 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/package-lock.json b/package-lock.json
index c94500986d..e4f8e9e702 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -44351,7 +44351,7 @@
         "lodash": "^4.17.21",
         "proxy-addr": "^2.0.7",
         "request": "^2.88.2",
-        "socket.io": "github:overleaf/socket.io#0.9.19-overleaf-11",
+        "socket.io": "github:overleaf/socket.io#0.9.19-overleaf-12",
         "socket.io-client": "github:overleaf/socket.io-client#0.9.17-overleaf-5"
       },
       "devDependencies": {
diff --git a/services/real-time/app.js b/services/real-time/app.js
index 38cb3caec4..4b8e894e8e 100644
--- a/services/real-time/app.js
+++ b/services/real-time/app.js
@@ -91,6 +91,11 @@ io.configure(function () {
     )
 
     io.set('origins', function (origin, req) {
+      if (!origin) {
+        // There is no origin or referer header - this is likely a same-site request.
+        logger.warn({ req }, 'No origin or referer header')
+        return true
+      }
       const normalizedOrigin = URL.parse(origin).origin
       const originIsValid = allowedCorsOriginsRegex.test(normalizedOrigin)
 
diff --git a/services/real-time/package.json b/services/real-time/package.json
index 2d5f87a109..a52e0dfcf9 100644
--- a/services/real-time/package.json
+++ b/services/real-time/package.json
@@ -34,7 +34,7 @@
     "lodash": "^4.17.21",
     "proxy-addr": "^2.0.7",
     "request": "^2.88.2",
-    "socket.io": "github:overleaf/socket.io#0.9.19-overleaf-11",
+    "socket.io": "github:overleaf/socket.io#0.9.19-overleaf-12",
     "socket.io-client": "github:overleaf/socket.io-client#0.9.17-overleaf-5"
   },
   "devDependencies": {