[whatwg] WebSocket websocket-origin

Shannon shannon at arc.net.au
Mon Sep 29 21:59:19 PDT 2008

Anne van Kesteren wrote:
> What is the reason for doing literal comparison on the 
> websocket-origin and websocket-location HTTP headers? Access Control 
> for Cross-Site Requests is currently following this design for 
> access-control-allow-origin but sicking is complaining about so maybe 
> it should be URL-without-<path> comparison instead. (E.g., then 
> http://example.org and http://example.org:80 would be equivalent.)
I think the temptation to standardise features like access control 
defeats the point of websockets. Since things like access control and 
sessions can be readily implemented via CGI interfaces it seems implied 
that the whole point of websockets is to provide "lightweight" services. 
If the service actually needs something like this then the author can 
perform the check post-handshake using any method they feel like. I 
don't really feel strongly one way or the other about this particular 
header but I'm concerned about the slippery-slope of complicating the 
HTTP handshake to the point where you might as well be using CGI. Maybe 
the standard should simply recommend sending the header but make no 
requirement about how it is parsed. That way the service itself can 
decide whether the check is even necessary and if so whether it should 
be strict or loose or regex-based without the client automatically 
hanging up the connection.


More information about the whatwg mailing list