Re: Allow custom headers (Websocket API) from Florian Bösch on 2015-02-05 (public-webapps@w3.org from January to March 2015)

From: Florian Bösch <pyalot@gmail.com>
Date: Thu, 5 Feb 2015 14:23:36 +0100
To: Anne van Kesteren <annevk@annevk.nl>
Cc: Michiel De Mey <de.mey.michiel@gmail.com>, WebApps WG <public-webapps@w3.org>
Message-ID: <CAOK8ODh=6PrqY=HsiA-8jG2E2am+B7FDaEgfzQL4nt1fMc2Jbw@mail.gmail.com>

Well,

1) Clients do apply CORS to WebSocket requests already (and might've
started doing so quite some time ago) and everything's fine and you don't
need to change anything.

2) Clients do not apply CORS to WebSocket requests, and you're screwed,
because any change you make will break existing deployments.

Either way, this will result in no change made, so you can burry it right
here.

On Thu, Feb 5, 2015 at 2:12 PM, Anne van Kesteren <annevk@annevk.nl> wrote:

> On Thu, Feb 5, 2015 at 1:27 PM, Florian Bösch <pyalot@gmail.com> wrote:
> > CORS is an adequate protocol to allow for additional headers, and
> websocket
> > requests could be subjected to CORS (I'm not sure what the current client
> > behavior is in that regard, but I'm guessing they enforce CORS on
> websocket
> > requests as well).
>
> I think you're missing something. A WebSocket request is subject to
> the WebSocket protocol, which does not take the same precautions as
> the Fetch protocol does used elsewhere in the platform. And therefore
> we cannot provide this feature until the WebSocket protocol is fixed
> to take the same precautions.
>
>
> --
> https://annevankesteren.nl/
>

Received on Thursday, 5 February 2015 13:24:05 UTC