On Thu, Feb 5, 2015 at 10:41 PM, Florian Bösch <pya...@gmail.com> wrote:

> On Thu, Feb 5, 2015 at 2:39 PM, Takeshi Yoshino <tyosh...@google.com>
> wrote:
>> To prevent WebSocket from being abused to attack existing HTTP servers
>> from malicious non-simple cross-origin requests, we need to have WebSocket
>> clients to do some preflight to verify that the server is not an HTTP
>> server that don't understand CORS. We could do e.g. when a custom header is
>> specified,
> No further specification is needed because CORS already covers the case of
> endpoints that do not understand CORS (deny by default). Hence above
> assertion is superfluous.

IIUC, CORS prevents clients from issuing non-simple cross-origin request
(even idempotent methods) without verifying that the server understands
CORS. That's realized by preflight.

>> So, anyway, I think we need to make some change on the WebSocket spec.
> Also bogus assertion.

Reply via email to