Hacker News new | ask | show | jobs
by sidewndr46 380 days ago
This is also a misunderstanding. CORS only applies to the Layer 7 communication. The rest you can figure out from the timing of that.

Significant components of the browser, such as Websockets have no such restrictions at all
2 comments
James_K 380 days ago
Won't the browser still append the "Origin" field to WebSocket requests, allowing servers to reject them?
link
bstsb 380 days ago
yes, and that's exactly how discord's websocket communication checks work (allowing them to offer a non-scheme "open in app" from the website).

they also had some kind of RPC websocket system for game developers, but that appears to have been abandoned: https://discord.com/developers/docs/topics/rpc

link
afiori 380 days ago
A WebSocket starts as a normal http request, so it is subject to cors if the initial request was (eg if it was a post)
link
hnav 380 days ago
websockets aren't subject to CORS, they send the initiating webpage in the Origin header but the server has to decide whether that's allowed.
link
odo1242 380 days ago
Unfortunately, the initial WebSocket HTTP request is defined to always be a GET request.
link