On Thu, Feb 5, 2015 at 2:39 PM, Takeshi Yoshino <tyoshino@google.com> wrote: > To prevent WebSocket from being abused to attack existing HTTP servers > from malicious non-simple cross-origin requests, we need to have WebSocket > clients to do some preflight to verify that the server is not an HTTP > server that don't understand CORS. We could do e.g. when a custom header is > specified, > No further specification is needed because CORS already covers the case of endpoints that do not understand CORS (deny by default). Hence above assertion is superfluous. > So, anyway, I think we need to make some change on the WebSocket spec. > Also bogus assertion.
Received on Thursday, 5 February 2015 13:41:41 UTC