W3C home > Mailing lists > Public > whatwg@whatwg.org > June 2011

[whatwg] Enhancement request: change EventSource to allow cross-domain access

From: Ian Hickson <ian@hixie.ch>
Date: Fri, 17 Jun 2011 22:31:42 +0000 (UTC)
Message-ID: <Pine.LNX.4.64.1106172226250.14203@ps20323.dreamhostps.com>
On Fri, 17 Jun 2011, Jonas Sicking wrote:
> > On Wed, 1 Jun 2011, Jonas Sicking wrote:
> >>
> >> We should probably consider adding the ability to specify if you want 
> >> the request to happen with or without credentials (and default to the 
> >> safe option which is without credentials).
> >
> > Why?
> 
> For the same reasons that we're doing it for XHR and for <img>s.

For EventSource, the vast majority of streams are going to be 
user-specific, as far as I can tell, so the default should probably just 
be to send credentials. (That's what happens with <script>, the current 
way people try to solve this problem.)

The reason we _didn't_ send credentials by default for <img> was that most 
cross-origin images are going to be static, and it would be a huge pain 
for the server to have to do per-connection work to determine the HTTP 
headers each time. With EventSource, that's a non-issue, since the server 
is going to have to do lots of much heavier per-connection work anyway.


> People will likely want to create even streams that are specific to a 
> user. For example indicating that the value of a users stock portfolio 
> has gone up or down.

Agreed. But what's the use case for _not_ sending credentials here?

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'
Received on Friday, 17 June 2011 15:31:42 UTC

This archive was generated by hypermail 2.3.1 : Monday, 13 April 2015 23:09:06 UTC