WebSocketOriginCheck: remove "whitelist" from documentation

Every little bit helps.

In most situations, the context already makes it clear what's going on
(e.g. "Trusted list"). When the existing context isn't enough, use
"allowlist" instead.

Author: jchampio

README.md

@@ -252,9 +252,9 @@ but it requires the server to know which origins are trusted.
 The `WebSocketOriginCheck` directive controls how the server applies this
 security feature. The three options are `Same`, which requires the `Origin` sent
 by the user-agent to exactly match the origin of your WebSocket service;
-`Trusted`, which checks the incoming `Origin` against a whitelist that you
-provide; and `Off`, which disables cross-origin protection entirely. The default
-is `Same`.
+`Trusted`, which checks the incoming `Origin` against a list that you provide;
+and `Off`, which disables cross-origin protection entirely. The default is
+`Same`.
 
 _Note that in all cases, handshakes without an `Origin` header are allowed to
 connect._
@@ -291,16 +291,16 @@ Some caveats:
 
 #### Trusted Origins
 
-To specify a whitelist of origins that your plugin will accept connections from,
-use `WebSocketOriginCheck Trusted` and the `WebSocketTrustedOrigin` directive:
+To specify a list of origins that your plugin will accept connections from, use
+`WebSocketOriginCheck Trusted` and the `WebSocketTrustedOrigin` directive:
 
     WebSocketOriginCheck Trusted
     WebSocketTrustedOrigin https://www.example.com https://other.example.com
     WebSocketTrustedOrigin http://other.example.net:8080
 
 If your WebSocket plugin can be accessed via multiple hostname aliases or ports,
 each combination must be added as a separate entry, since the `Origin` value
-sent by a user-agent must _exactly_ match one in the whitelist to be allowed.
+sent by a user-agent must _exactly_ match one in the list to be allowed.
 
 #### Disabling Origin Checks
 

mod_websocket.c

@@ -74,7 +74,7 @@ typedef struct
     apr_int64_t message_limit;
     int allow_reserved; /* whether to allow reserved status codes */
     int origin_check;   /* how to check the Origin during a handshake */
-    apr_hash_t *trusted_origins; /* whitelist for ORIGIN_CHECK_TRUSTED */
+    apr_hash_t *trusted_origins; /* allowlist for ORIGIN_CHECK_TRUSTED */
 } websocket_config_rec;
 
 /* Possible config values for websocket_config_rec->origin_check */
@@ -272,7 +272,7 @@ static const char *mod_websocket_conf_add_origin(cmd_parms *cmd, void *confv,
                      origin);
 
         ap_log_error(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, cmd->server,
-                     "added Origin '%s' to the Trusted whitelist for %s",
+                     "added Origin '%s' to the Trusted list for %s",
                      origin, (cmd->path ? cmd->path : "null"));
     }
 
@@ -994,15 +994,15 @@ static int is_trusted_origin(request_rec *r, websocket_config_rec *conf,
         return 1;
     } else if (mode == ORIGIN_CHECK_TRUSTED) {
         /*
-         * See if the Origin is in our whitelist.
+         * See if the Origin is in our allowlist.
          */
         void *val = apr_hash_get(conf->trusted_origins, origin,
                                  APR_HASH_KEY_STRING);
 
         if (!val) {
             ap_log_rerror(APLOG_MARK, APLOG_INFO, APR_SUCCESS, r,
                           "Origin header '%s' sent by user-agent is not in the "
-                          "Trusted whitelist; rejecting WebSocket upgrade",
+                          "Trusted list; rejecting WebSocket upgrade",
                           origin);
             return 0;
         }

test/httpd/test.conf.in

@@ -58,7 +58,7 @@ DocumentRoot htdocs
   WebSocketOriginCheck Off
 </Location>
 
-<Location /origin-whitelist>
+<Location /origin-trusted>
   SetHandler websocket-handler
   WebSocketHandler modules/mod_websocket_echo.so echo_init
 

test/pytest/test_configuration.py

@@ -17,7 +17,7 @@ def trusted_origin_response(agent, request):
     A fixture that performs a handshake using one of the explicitly trusted test
     Origins.
     """
-    response = pytest.blockon(make_request(agent, path='/origin-whitelist',
+    response = pytest.blockon(make_request(agent, path='/origin-trusted',
                                                   origin=request.param))
     yield response
     client.readBody(response).cancel() # immediately close the connection
@@ -45,8 +45,8 @@ def test_explicitly_trusted_Origins_are_allowed(trusted_origin_response):
 @pytest.inlineCallbacks
 def test_untrusted_Origins_are_not_allowed_with_OriginCheck_Trusted(agent):
     # When using WebSocketOriginCheck Trusted, even a same-origin request isn't
-    # good enough if the origin is not on the whitelist.
-    response = yield make_request(agent, path='/origin-whitelist',
+    # good enough if the origin is not on the allowlist.
+    response = yield make_request(agent, path='/origin-trusted',
                                   origin=make_root())
     assert response.code == 403
     client.readBody(response).cancel() # immediately close the connection