"WebSockets is a nightmare because it does not come under the Same-origin policy."<p>yes, i discovered this myself about a week ago.<p>i was surprised that i was able to connect to a localhost websocket when using an internal app on another domain. i expected this to fail and require CORS like XMLHttpRequest. after rejoicing briefly that i didnt need to whitelist it and was saving 2min, i was pretty terrified.