Callee exposed to autobahn js client


At some point autobahnJs clients started to receive callee information for each RPC request. Is this a bug or a feature? And is there a way to disable it?

Example request/response copied from firefox dev tools

autobahnJS -> crossbar -> autobahnPython backend

request [48,1,{},“com.example.get_data”]
response [50,1,{“callee”:1234567890,“callee_authrole”:“backend”},[7]]

Tested with the latest crossbar/autobahn versions. Can be replicated with this example:


There is an option to disclose this information or not. See

Hello meejah,

I got no problems with caller information disclosure. The problem is that the autobahnJs client can see backend’s sessionid and authid in response to his rpc requests. The callee information is disclosed, not callers.

  1. http client request [48,1,{},“com.example.get_data”]
  2. backend response to com.example.get_data -> [50,1,{“callee”:1234567890,“callee_authrole”:“backend”},[7]] (backend responds with value 7 and discloses its session ID and authrole)