Re: Allow custom headers (Websocket API)
Standardizing the approach would definitely help developers, however where will we communicate this? On February 5, 2015 at 3:04:35 PM, Takeshi Yoshino (tyosh...@google.com) wrote: On Thu, Feb 5, 2015 at 10:57 PM, Anne van Kesteren ann...@annevk.nl wrote: On Thu, Feb 5, 2015 at 2:48 PM, Bjoern Hoehrmann derhoe...@gmx.net wrote: A Websocket connection is established by making a HTTP Upgrade request, and the protocol is HTTP unless and until the connection is upgraded. Sure, but the server can get away with supporting a very limited subset of HTTP, no? Anyway, perhaps a combination of a CORS preflight followed by the HTTP Upgrade that then includes the headers is the answer, would probably be best to ask some WebSocket library developers what they think. Agreed. Even if we don't make any change on the existing specs, we need to standardize (or just announce to developers) that they need to make servers understand that combination if they want to develop apps that uses custom headers. Then, client vendors could implement that.
Allow custom headers (Websocket API)
Hi I'd like to propose a new feature to enable browsers to send custom headers through the API. The Websocket spec supports this, however the API does not expose this feature. We're trying to integrate bearer token authentication using the Authorization header, this is mainly for single-page apps that don't use session (cookie-based) authentication. Thanks Michiel De Mey
Re: Allow custom headers (Websocket API)
All it says about CORS is the following (Opening handshake section): The |Origin| header field [RFC6454] is used to protect against unauthorized cross-origin use of a WebSocket server by scripts using the WebSocket API in a web browser. On Thu, Feb 5, 2015 at 10:19 AM, Anne van Kesteren ann...@annevk.nl wrote: On Thu, Feb 5, 2015 at 3:49 AM, Michiel De Mey de.mey.mich...@gmail.com wrote: I'd like to propose a new feature to enable browsers to send custom headers through the API. The Websocket spec supports this, however the API does not expose this feature. Does the specification take similar precautions to CORS? -- https://annevankesteren.nl/
