Just remember that authentication and origin checking is completely up to the websocket server.
Any random page in a browser can talk to your websocket cross origin, and it's up to your server to check the "Origin" header to make sure it's actually your app on the other end.
Yes and no. Recently browsers started assuming that a response without CORS headers it unsafe unless from the same origin. So even though you can make a request if it fails preflight it will not even reach your server.
You can try this by opening a console on any webpage and trying to do fetch requests or add img tags to the page that are loading resources from localhost.
