Hacker News new | ask | show | jobs
by mbrubeck 6025 days ago
The spec allows the server complete discretion to accept or reject cross-origin requests. Only the origin in the request (sent by the client) is defined in terms of the originating web page; it's left entirely up to the server to decide whether or not to allow requests from any given origin. The spec talks about the server being "willing" to respond to requests from different origins, and explicitly mentions that it may support multiple origins ("This is why the server has to send these strings: to confirm which origins and URLs the server is willing to service").

This is basically the same as the Cross-Origin Resource Sharing spec, another W3C spec supported by some current browsers:

http://www.w3.org/TR/access-control/

> "The first three lines in each case are hard-coded" (referring to the origin)

No, the three hard-coded lines of each handshake part come before the origin headers:

        GET /demo HTTP/1.1
        Upgrade: WebSocket
        Connection: Upgrade
        [...]

        HTTP/1.1 101 Web Socket Protocol Handshake
        Upgrade: WebSocket
        Connection: Upgrade
        [...]
1 comments
daleharvey 6024 days ago
the problem isnt the server, http servers right now can serve webpages to any client, its wether the client will allow the connection, as they dont with xhr

from a guess at the fact they specifically say they use the existing same origin policy, they cant, but the confusion is cleared up with a simple test, I will check tomorrow

link
mbrubeck 6024 days ago
This is a way for servers to opt in and tell the client to allow cross-domain requests, just like crossdomain.xml or CORS.

I haven't tried it myself with web sockets yet, but I've done some experiments with XHR+CORS (almost the same protocol, except for different names of the response headers) and it does work cross-origin on recent Gecko and WebKit browsers.

UPDATE: Ran a quick test using the current Google Chrome beta for Linux and standalone.py from Google's mod_websocket, and successfully opened a cross-origin WebSocket connection, just as described in the spec. mod_websocket will authorize requests from any origin by default; there's a sample handler included that shows how to reject cross-origin requests on the server.

link
daleharvey 6024 days ago
ok cool, if I stand corrected that would be awesome, cheers
link