W3C home > Mailing lists > Public > public-webapps@w3.org > January to March 2015

Re: Allow custom headers (Websocket API)

From: Anne van Kesteren <annevk@annevk.nl>
Date: Thu, 5 Feb 2015 12:59:38 +0100
Message-ID: <CADnb78jSTLBcv+aPA-H+PXXoen7_+U+vWS=R7zao7b=NZ5zwbA@mail.gmail.com>
To: Michiel De Mey <de.mey.michiel@gmail.com>
Cc: WebApps WG <public-webapps@w3.org>
On Thu, Feb 5, 2015 at 12:50 PM, Michiel De Mey
<de.mey.michiel@gmail.com> wrote:
> All it says about CORS is the following
> (Opening handshake section):
>
> The |Origin| header field [RFC6454] is used to protect against unauthorized
> cross-origin use of a WebSocket server by scripts using the WebSocket API in
> a web browser.

That is not sufficient to allow custom headers. Cross-origin (and
WebSocket is nearly always cross-origin I think) custom headers
require a preflight and opt-in on a per-header basis.

Sounds like the extra bits of the protocol were not designed with the
requirements of the web in mind.


-- 
https://annevankesteren.nl/
Received on Thursday, 5 February 2015 12:00:11 UTC

This archive was generated by hypermail 2.3.1 : Friday, 27 October 2017 07:27:25 UTC