W3C home > Mailing lists > Public > public-webapps@w3.org > October to December 2011

[Bug 14592] New: EventSource should default to use "Use Credentials" set to false for CORS

From: <bugzilla@jessica.w3.org>
Date: Fri, 28 Oct 2011 19:38:00 +0000
To: public-webapps@w3.org
Message-ID: <bug-14592-2927@http.www.w3.org/Bugs/Public/>

           Summary: EventSource should default to use "Use Credentials"
                    set to false for CORS
           Product: WebAppsWG
           Version: unspecified
          Platform: PC
        OS/Version: All
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Server-Sent Events (editor: Ian Hickson)
        AssignedTo: ian@hixie.ch
        ReportedBy: jonas@sicking.cc
         QAContact: member-webapi-cvs@w3.org
                CC: mike@w3.org, public-webapps@w3.org

In order to default to a more safe mode of operation EventSource should default
to not sending credentials in cross-origin requests. This also has the
advantage that it matches how XMLHttpRequest works.

In order to opt-in to using credentials a constructor argument should be used.
Something like the following WebIDL:

dictionary EventSourceInit {
  boolean withCredentials = false;

[Constructor(DOMString url, optional EventSourceInit optParams)]
interface EventSource : EventTarget {

  readonly boolean withCredentials;



This also matches the conclusion we came to during the mozilla security review
and is thus the solution we're for now planning on deploying (prefixed for now
of course).

Configure bugmail: http://www.w3.org/Bugs/Public/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
Received on Friday, 28 October 2011 19:38:12 UTC

This archive was generated by hypermail 2.3.1 : Friday, 27 October 2017 07:26:36 UTC