Re: Allow custom headers (Websocket API) from Takeshi Yoshino on 2015-02-05 (public-webapps@w3.org from January to March 2015)

From: Takeshi Yoshino <tyoshino@google.com>
Date: Thu, 5 Feb 2015 22:44:46 +0900
To: Florian Bösch <pyalot@gmail.com>
Cc: Anne van Kesteren <annevk@annevk.nl>, Michiel De Mey <de.mey.michiel@gmail.com>, WebApps WG <public-webapps@w3.org>
Message-ID: <CAH9hSJbmKxtXQ=rbEdbWDigMnmWTuCYKpqzZN_V6eGQ_bf2=0g@mail.gmail.com>

On Thu, Feb 5, 2015 at 10:41 PM, Florian Bösch <pyalot@gmail.com> wrote:

> On Thu, Feb 5, 2015 at 2:39 PM, Takeshi Yoshino <tyoshino@google.com>
> wrote:
>
>> To prevent WebSocket from being abused to attack existing HTTP servers
>> from malicious non-simple cross-origin requests, we need to have WebSocket
>> clients to do some preflight to verify that the server is not an HTTP
>> server that don't understand CORS. We could do e.g. when a custom header is
>> specified,
>>
> No further specification is needed because CORS already covers the case of
> endpoints that do not understand CORS (deny by default). Hence above
> assertion is superfluous.
>

IIUC, CORS prevents clients from issuing non-simple cross-origin request
(even idempotent methods) without verifying that the server understands
CORS. That's realized by preflight.


>
>
>> So, anyway, I think we need to make some change on the WebSocket spec.
>>
> Also bogus assertion.
>

Received on Thursday, 5 February 2015 13:45:34 UTC