2014-12-01 22:00 GMT+01:00 Mark Thomas <ma...@apache.org>: > This is an improvement since it is not just the scheme, host and port > but it still reflects the connection being made to WebSocket rather than > the Origin of the request. I don't see how the WebSocketContainer can > possibly determine what the origin is. It has to rely on a user provided > value. > > Also, I don't see anything in either RFC6455 or the Java WebSocket > specification that says that the origin header is mandatory. >
The user has the opportunity to set its origin header, but having an origin seems mandatory enough to me right now. Anything you don't like can be wrapped inside the strict flag. Rémy
