| CARVIEW |
Select Language
HTTP/2 200
date: Thu, 25 Dec 2025 10:33:21 GMT
content-type: text/html; charset=utf-8
cache-control: max-age=0, private, must-revalidate
content-security-policy: default-src 'none'; base-uri 'self'; child-src github.githubassets.com github.com/assets-cdn/worker/ github.com/assets/ gist.github.com/assets-cdn/worker/; connect-src 'self' uploads.github.com www.githubstatus.com collector.github.com raw.githubusercontent.com api.github.com github-cloud.s3.amazonaws.com github-production-repository-file-5c1aeb.s3.amazonaws.com github-production-upload-manifest-file-7fdce7.s3.amazonaws.com github-production-user-asset-6210df.s3.amazonaws.com *.rel.tunnels.api.visualstudio.com wss://*.rel.tunnels.api.visualstudio.com github.githubassets.com objects-origin.githubusercontent.com copilot-proxy.githubusercontent.com proxy.individual.githubcopilot.com proxy.business.githubcopilot.com proxy.enterprise.githubcopilot.com *.actions.githubusercontent.com wss://*.actions.githubusercontent.com productionresultssa0.blob.core.windows.net/ productionresultssa1.blob.core.windows.net/ productionresultssa2.blob.core.windows.net/ productionresultssa3.blob.core.windows.net/ productionresultssa4.blob.core.windows.net/ productionresultssa5.blob.core.windows.net/ productionresultssa6.blob.core.windows.net/ productionresultssa7.blob.core.windows.net/ productionresultssa8.blob.core.windows.net/ productionresultssa9.blob.core.windows.net/ productionresultssa10.blob.core.windows.net/ productionresultssa11.blob.core.windows.net/ productionresultssa12.blob.core.windows.net/ productionresultssa13.blob.core.windows.net/ productionresultssa14.blob.core.windows.net/ productionresultssa15.blob.core.windows.net/ productionresultssa16.blob.core.windows.net/ productionresultssa17.blob.core.windows.net/ productionresultssa18.blob.core.windows.net/ productionresultssa19.blob.core.windows.net/ github-production-repository-image-32fea6.s3.amazonaws.com github-production-release-asset-2e65be.s3.amazonaws.com insights.github.com wss://alive.github.com wss://alive-staging.github.com api.githubcopilot.com api.individual.githubcopilot.com api.business.githubcopilot.com api.enterprise.githubcopilot.com; font-src github.githubassets.com; form-action 'self' github.com gist.github.com copilot-workspace.githubnext.com objects-origin.githubusercontent.com; frame-ancestors 'none'; frame-src viewscreen.githubusercontent.com notebooks.githubusercontent.com; img-src 'self' data: blob: github.githubassets.com media.githubusercontent.com camo.githubusercontent.com identicons.github.com avatars.githubusercontent.com private-avatars.githubusercontent.com github-cloud.s3.amazonaws.com objects.githubusercontent.com release-assets.githubusercontent.com secured-user-images.githubusercontent.com/ user-images.githubusercontent.com/ private-user-images.githubusercontent.com opengraph.githubassets.com marketplace-screenshots.githubusercontent.com/ copilotprodattachments.blob.core.windows.net/github-production-copilot-attachments/ github-production-user-asset-6210df.s3.amazonaws.com customer-stories-feed.github.com spotlights-feed.github.com objects-origin.githubusercontent.com *.githubusercontent.com; manifest-src 'self'; media-src github.com user-images.githubusercontent.com/ secured-user-images.githubusercontent.com/ private-user-images.githubusercontent.com github-production-user-asset-6210df.s3.amazonaws.com gist.github.com github.githubassets.com; script-src github.githubassets.com; style-src 'unsafe-inline' github.githubassets.com; upgrade-insecure-requests; worker-src github.githubassets.com github.com/assets-cdn/worker/ github.com/assets/ gist.github.com/assets-cdn/worker/
link: ; rel=preload; as=fetch; crossorigin=use-credentials
referrer-policy: no-referrer-when-downgrade
server-timing: issue_layout-fragment;desc="issue_layout fragment";dur=655.783938,issue_conversation_content-fragment;desc="issue_conversation_content fragment";dur=612.542158,nginx;desc="NGINX";dur=1.010522,glb;desc="GLB";dur=101.65543
strict-transport-security: max-age=31536000; includeSubdomains; preload
vary: X-PJAX, X-PJAX-Container, Turbo-Visit, Turbo-Frame, X-Requested-With, Accept,Accept-Encoding, Accept, X-Requested-With
x-content-type-options: nosniff
x-frame-options: deny
x-voltron-version: aab62e3
x-xss-protection: 0
server: github.com
content-encoding: gzip
accept-ranges: bytes
set-cookie: _gh_sess=5e6hLKMUM2W20mxMKj7HADmqa4bkhKuayJ%2BZv9%2B6Ckuk1%2F9%2F%2B3FuLu71gmm2w8QSEt4WtGAt0uO58Ffy3B07LOj1qGRaXwuKjXBQ%2Br%2BSyLKFNhefrCN9ALpLCQT01maC4B32WUrCBXfkF2FCe7FayoiEK8RDnOc36QnGwAA81DwyF03DimYlc8RgVVj6Je582Bl9vTBAbVmmusV%2BZco8Icjigek7lOn2%2BDJCgl%2BVk5%2BXs1p3WlAJXdm9yFGmzBlvWjC6FhzPcRex%2BOa83608Ng%3D%3D--sBffcK9U5GyA85Uj--0Sj2gEPVtKw5OgGdjn4CIQ%3D%3D; Path=/; HttpOnly; Secure; SameSite=Lax
set-cookie: _octo=GH1.1.490522209.1766658800; Path=/; Domain=github.com; Expires=Fri, 25 Dec 2026 10:33:20 GMT; Secure; SameSite=Lax
set-cookie: logged_in=no; Path=/; Domain=github.com; Expires=Fri, 25 Dec 2026 10:33:20 GMT; HttpOnly; Secure; SameSite=Lax
x-github-request-id: DA5E:2C07D:2A78987:3286EF5:694D12F0
WebSockets Β· Issue #14 Β· WICG/private-network-access Β· GitHub
No one assignedNo labelsNo typeNo projectsNo milestoneNone yetNo branches or pull requests
Skip to content
Navigation Menu
{{ message }}
-
Notifications
You must be signed in to change notification settings - Fork 27
Open
Description
Not sure what the capabilities of the GET are, and how much control the caller has.
The capabilities of the GET and the control of the caller are basically identical to an <img> tag. There is an additional Sec-WebSocket-Protocol header whose contents are a list of tokens controlled by JavaScript. Credentials are always included.
If we need a prefetch to even consider issuing a request for an <img> tag then we must do the same for a WebSocket request, or it would be a big hole in the protection.
From a protocol purity point of view, a preflight is best, as it avoids making any changes to RFC6455.
However, from an implementation point of view a preflight is a lot of work. Chromium's WebSocket code goes down a completely different route from the CORS code. On the server side, "pure" WebSocket servers that don't implement HTTP are going to have a hard time adding support for a preflight.
Integrating a website with software running locally (eg. Spotify) is a popular use-case for WebSockets, and so the impact of this change would be considerable.
mikestaubAjedi32
Metadata
Metadata
Assignees
Labels
No labels
Type
Projects
Milestone
Relationships
Development
Issue actions
You canβt perform that action at this time.