- From: Anne van Kesteren <annevk@annevk.nl>
- Date: Thu, 5 Feb 2015 12:59:38 +0100
- To: Michiel De Mey <de.mey.michiel@gmail.com>
- Cc: WebApps WG <public-webapps@w3.org>
On Thu, Feb 5, 2015 at 12:50 PM, Michiel De Mey <de.mey.michiel@gmail.com> wrote: > All it says about CORS is the following > (Opening handshake section): > > The |Origin| header field [RFC6454] is used to protect against unauthorized > cross-origin use of a WebSocket server by scripts using the WebSocket API in > a web browser. That is not sufficient to allow custom headers. Cross-origin (and WebSocket is nearly always cross-origin I think) custom headers require a preflight and opt-in on a per-header basis. Sounds like the extra bits of the protocol were not designed with the requirements of the web in mind. -- https://annevankesteren.nl/
Received on Thursday, 5 February 2015 12:00:11 UTC