websockets aren't subject to CORS, they send the initiating webpage in the Origin header but the server has to decide whether that's allowed.