W3C home > Mailing lists > Public > public-webapps@w3.org > January to March 2015

Re: Allow custom headers (Websocket API)

From: Florian Bösch <pyalot@gmail.com>
Date: Thu, 5 Feb 2015 14:41:10 +0100
Message-ID: <CAOK8ODiHBQOmAVVKh+_DCggi4XHmge_b3dXZLZ6QW3sQrbKE+A@mail.gmail.com>
To: Takeshi Yoshino <tyoshino@google.com>
Cc: Anne van Kesteren <annevk@annevk.nl>, Michiel De Mey <de.mey.michiel@gmail.com>, WebApps WG <public-webapps@w3.org>
On Thu, Feb 5, 2015 at 2:39 PM, Takeshi Yoshino <tyoshino@google.com> wrote:

> To prevent WebSocket from being abused to attack existing HTTP servers
> from malicious non-simple cross-origin requests, we need to have WebSocket
> clients to do some preflight to verify that the server is not an HTTP
> server that don't understand CORS. We could do e.g. when a custom header is
> specified,
No further specification is needed because CORS already covers the case of
endpoints that do not understand CORS (deny by default). Hence above
assertion is superfluous.

> So, anyway, I think we need to make some change on the WebSocket spec.
Also bogus assertion.
Received on Thursday, 5 February 2015 13:41:41 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:14:43 UTC