Re: Allow custom headers (Websocket API)

On Thu, Feb 5, 2015 at 10:41 PM, Florian Bösch <pyalot@gmail.com> wrote:

> On Thu, Feb 5, 2015 at 2:39 PM, Takeshi Yoshino <tyoshino@google.com>
> wrote:
>
>> To prevent WebSocket from being abused to attack existing HTTP servers
>> from malicious non-simple cross-origin requests, we need to have WebSocket
>> clients to do some preflight to verify that the server is not an HTTP
>> server that don't understand CORS. We could do e.g. when a custom header is
>> specified,
>>
> No further specification is needed because CORS already covers the case of
> endpoints that do not understand CORS (deny by default). Hence above
> assertion is superfluous.
>

IIUC, CORS prevents clients from issuing non-simple cross-origin request
(even idempotent methods) without verifying that the server understands
CORS. That's realized by preflight.


>
>
>> So, anyway, I think we need to make some change on the WebSocket spec.
>>
> Also bogus assertion.
>

Received on Thursday, 5 February 2015 13:45:34 UTC