Custom headers into handshake

[adrianhopebailie]

Please allow developers to pass custom headers into the constructor so they can, for example, provide an Authorization header.

[ricea]

It's not possible to implement HTTP Authentication in JavaScript because it is handled in the lower levels of the browser's network stack. JavaScript cannot read the 401 response from the server. This means that even if it was possible to provide an Authorization header, it would not be possible to get the semantics right.

WebSockets don't participate in CORS, which would mean the only headers that could safely be set are those on the CORS-safelisted request-header list. None of these are even meaningful for WebSockets.

One possible solution would be to add a CORS mode to WebSockets to permit CORS preflights to be sent. This is probably feasible, but would further encourage people to expect WebSockets to behave like HTTP. The addition of HTTP features to WebSockets has been an enormous source of problems, and it's not something I want to expand upon.

I am leaving this issue open because it is a common request, and it's possible a compelling use case will arise.