Hacker News new | past | comments | ask | show | jobs | submit login

This is also a misunderstanding. CORS only applies to the Layer 7 communication. The rest you can figure out from the timing of that.

Significant components of the browser, such as Websockets have no such restrictions at all






Won't the browser still append the "Origin" field to WebSocket requests, allowing servers to reject them?

reply


yes, and that's exactly how discord's websocket communication checks work (allowing them to offer a non-scheme "open in app" from the website).

they also had some kind of RPC websocket system for game developers, but that appears to have been abandoned: https://discord.com/developers/docs/topics/rpc

reply


A WebSocket starts as a normal http request, so it is subject to cors if the initial request was (eg if it was a post)

reply


websockets aren't subject to CORS, they send the initiating webpage in the Origin header but the server has to decide whether that's allowed.

reply


Unfortunately, the initial WebSocket HTTP request is defined to always be a GET request.

reply




Consider applying for YC's Fall 2025 batch! Applications are open till Aug 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: