On Thu, Feb 5, 2015 at 12:59 PM, Anne van Kesteren <ann...@annevk.nl> wrote:
> That is not sufficient to allow custom headers. Cross-origin (and > WebSocket is nearly always cross-origin I think) custom headers > require a preflight and opt-in on a per-header basis. > Access-Control-Allow-Headers is not a preflight request per header, it's one preflight request for all custom headers. CORS allows idempotent requests to be made without a preflight request. A websocket setup is a GET request with the necessary headers for the handshake set. Please don't break websockets and HTTP as they're specified and implemented today. Thank you.