The Rails version allows a few CORS settings to be checked, and it rejects connections when they don't match:
config.action_cable.allowed_request_origins = ['https://rubyonrails.com', %r{http://ruby.*}]
# disable it with
config.action_cable.disable_request_forgery_protection = true
https://guides.rubyonrails.org/action_cable_overview.html#allowed-request-origins
The Rails version allows a few CORS settings to be checked, and it rejects connections when they don't match: