On Thu, Feb 5, 2015 at 12:50 PM, Michiel De Mey
<de.mey.mich...@gmail.com> wrote:
> All it says about CORS is the following
> (Opening handshake section):
> The |Origin| header field [RFC6454] is used to protect against unauthorized
> cross-origin use of a WebSocket server by scripts using the WebSocket API in
> a web browser.

That is not sufficient to allow custom headers. Cross-origin (and
WebSocket is nearly always cross-origin I think) custom headers
require a preflight and opt-in on a per-header basis.

Sounds like the extra bits of the protocol were not designed with the
requirements of the web in mind.


Reply via email to