Btw,
Websockets do support CORS stuff. Wouldn’t adding more domains to Access-Control-Allow-Origin header allow for easier access control without having to gamble with private keys?
// edit: well, i suppose it wouldn’t actually restrict communication at all, just prevent some cross site scripting from other domains. Forget about it