A WebSocket starts as a normal http request, so it is subject to cors if the initial request was (eg if it was a post)
websockets aren't subject to CORS, they send the initiating webpage in the Origin header but the server has to decide whether that's allowed.
Unfortunately, the initial WebSocket HTTP request is defined to always be a GET request.