On Thu, Feb 5, 2015 at 10:41 PM, Florian Bösch <pya...@gmail.com> wrote:
> On Thu, Feb 5, 2015 at 2:39 PM, Takeshi Yoshino <tyosh...@google.com> > wrote: > >> To prevent WebSocket from being abused to attack existing HTTP servers >> from malicious non-simple cross-origin requests, we need to have WebSocket >> clients to do some preflight to verify that the server is not an HTTP >> server that don't understand CORS. We could do e.g. when a custom header is >> specified, >> > No further specification is needed because CORS already covers the case of > endpoints that do not understand CORS (deny by default). Hence above > assertion is superfluous. > IIUC, CORS prevents clients from issuing non-simple cross-origin request (even idempotent methods) without verifying that the server understands CORS. That's realized by preflight. > > >> So, anyway, I think we need to make some change on the WebSocket spec. >> > Also bogus assertion. >