sidewndr46 1 day ago

This is also a misunderstanding. CORS only applies to the Layer 7 communication. The rest you can figure out from the timing of that.

Significant components of the browser, such as Websockets have no such restrictions at all

2
James_K 1 day ago

Won't the browser still append the "Origin" field to WebSocket requests, allowing servers to reject them?

1 reply
bstsb 1 day ago

yes, and that's exactly how discord's websocket communication checks work (allowing them to offer a non-scheme "open in app" from the website).

they also had some kind of RPC websocket system for game developers, but that appears to have been abandoned: https://discord.com/developers/docs/topics/rpc

afiori 1 day ago

A WebSocket starts as a normal http request, so it is subject to cors if the initial request was (eg if it was a post)

2 replies
hnav 1 day ago

websockets aren't subject to CORS, they send the initiating webpage in the Origin header but the server has to decide whether that's allowed.

odo1242 1 day ago

Unfortunately, the initial WebSocket HTTP request is defined to always be a GET request.