On Thu, Feb 5, 2015 at 1:18 PM, Florian Bösch <pya...@gmail.com> wrote: > On Thu, Feb 5, 2015 at 12:59 PM, Anne van Kesteren <ann...@annevk.nl> wrote: >> That is not sufficient to allow custom headers. Cross-origin (and >> WebSocket is nearly always cross-origin I think) custom headers >> require a preflight and opt-in on a per-header basis. > > Access-Control-Allow-Headers is not a preflight request per header, it's one > preflight request for all custom headers.
I was saying you need to opt in on a per-header basis. I did not say each requires a distinct preflight. > CORS allows idempotent requests to be made without a preflight request. A > websocket setup is a GET request with the necessary headers for the > handshake set. > > Please don't break websockets and HTTP as they're specified and implemented > today. Thank you. I'm not sure how this is relevant. We are discussing adding the ability to the WebSocket API to set custom headers and whether the current protocol is adequate for that. -- https://annevankesteren.nl/