Re: Allow custom headers (Websocket API) from Florian Bösch on 2015-02-05 (public-webapps@w3.org from January to March 2015)

From: Florian Bösch <pyalot@gmail.com>
Date: Thu, 5 Feb 2015 13:18:03 +0100
To: Anne van Kesteren <annevk@annevk.nl>
Cc: Michiel De Mey <de.mey.michiel@gmail.com>, WebApps WG <public-webapps@w3.org>
Message-ID: <CAOK8ODh+y-m-N1vKzcboc+e98XnGC78iLezNO5EMhVxiD6JWBw@mail.gmail.com>

On Thu, Feb 5, 2015 at 12:59 PM, Anne van Kesteren <annevk@annevk.nl> wrote:

> That is not sufficient to allow custom headers. Cross-origin (and
> WebSocket is nearly always cross-origin I think) custom headers
> require a preflight and opt-in on a per-header basis.
>
Access-Control-Allow-Headers is not a preflight request per header, it's
one preflight request for all custom headers.

CORS allows idempotent requests to be made without a preflight request. A
websocket setup is a GET request with the necessary headers for the
handshake set.

Please don't break websockets and HTTP as they're specified and implemented
today. Thank you.

Received on Thursday, 5 February 2015 12:18:30 UTC