Hacker News new | past | comments | ask | show | jobs | submit login

This is also a misunderstanding. CORS only applies to the Layer 7 communication. The rest you can figure out from the timing of that.

Significant components of the browser, such as Websockets have no such restrictions at all






Won't the browser still append the "Origin" field to WebSocket requests, allowing servers to reject them?

yes, and that's exactly how discord's websocket communication checks work (allowing them to offer a non-scheme "open in app" from the website).

they also had some kind of RPC websocket system for game developers, but that appears to have been abandoned: https://discord.com/developers/docs/topics/rpc


A WebSocket starts as a normal http request, so it is subject to cors if the initial request was (eg if it was a post)

websockets aren't subject to CORS, they send the initiating webpage in the Origin header but the server has to decide whether that's allowed.

Unfortunately, the initial WebSocket HTTP request is defined to always be a GET request.



Consider applying for YC's Fall 2025 batch! Applications are open till Aug 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: