On Thu, Feb 5, 2015 at 12:50 PM, Michiel De Mey <de.mey.mich...@gmail.com> wrote: > All it says about CORS is the following > (Opening handshake section): > > The |Origin| header field [RFC6454] is used to protect against unauthorized > cross-origin use of a WebSocket server by scripts using the WebSocket API in > a web browser.
That is not sufficient to allow custom headers. Cross-origin (and WebSocket is nearly always cross-origin I think) custom headers require a preflight and opt-in on a per-header basis. Sounds like the extra bits of the protocol were not designed with the requirements of the web in mind. -- https://annevankesteren.nl/