W3C home > Mailing lists > Public > public-webapps@w3.org > January to March 2015

Re: Allow custom headers (Websocket API)

From: Takeshi Yoshino <tyoshino@google.com>
Date: Thu, 5 Feb 2015 22:44:46 +0900
Message-ID: <CAH9hSJbmKxtXQ=rbEdbWDigMnmWTuCYKpqzZN_V6eGQ_bf2=0g@mail.gmail.com>
To: Florian Bösch <pyalot@gmail.com>
Cc: Anne van Kesteren <annevk@annevk.nl>, Michiel De Mey <de.mey.michiel@gmail.com>, WebApps WG <public-webapps@w3.org>
On Thu, Feb 5, 2015 at 10:41 PM, Florian Bösch <pyalot@gmail.com> wrote:

> On Thu, Feb 5, 2015 at 2:39 PM, Takeshi Yoshino <tyoshino@google.com>
> wrote:
>> To prevent WebSocket from being abused to attack existing HTTP servers
>> from malicious non-simple cross-origin requests, we need to have WebSocket
>> clients to do some preflight to verify that the server is not an HTTP
>> server that don't understand CORS. We could do e.g. when a custom header is
>> specified,
> No further specification is needed because CORS already covers the case of
> endpoints that do not understand CORS (deny by default). Hence above
> assertion is superfluous.

IIUC, CORS prevents clients from issuing non-simple cross-origin request
(even idempotent methods) without verifying that the server understands
CORS. That's realized by preflight.

>> So, anyway, I think we need to make some change on the WebSocket spec.
> Also bogus assertion.
Received on Thursday, 5 February 2015 13:45:34 UTC

This archive was generated by hypermail 2.3.1 : Friday, 27 October 2017 07:27:25 UTC