[mic159]

Just remember that authentication and origin checking is completely up to the websocket server. Any random page in a browser can talk to your websocket cross origin, and it's up to your server to check the "Origin" header to make sure it's actually your app on the other end.

[yoz-y]

Yes and no. Recently browsers started assuming that a response without CORS headers it unsafe unless from the same origin. So even though you can make a request if it fails preflight it will not even reach your server.

You can try this by opening a console on any webpage and trying to do fetch requests or add img tags to the page that are loading resources from localhost.

[vhvjkyhkogvv]

If you base it origin couldn't that have false positives too? Like say other, less privileged apps?