On Thu, Feb 5, 2015 at 12:59 PM, Anne van Kesteren <ann...@annevk.nl> wrote:

> That is not sufficient to allow custom headers. Cross-origin (and
> WebSocket is nearly always cross-origin I think) custom headers
> require a preflight and opt-in on a per-header basis.
Access-Control-Allow-Headers is not a preflight request per header, it's
one preflight request for all custom headers.

CORS allows idempotent requests to be made without a preflight request. A
websocket setup is a GET request with the necessary headers for the
handshake set.

Please don't break websockets and HTTP as they're specified and implemented
today. Thank you.

Reply via email to