[Bug 14592] New: EventSource should default to use "Use Credentials" set to false for CORS from bugzilla@jessica.w3.org on 2011-10-28 (public-webapps@w3.org from October to December 2011)

From: <bugzilla@jessica.w3.org>
Date: Fri, 28 Oct 2011 19:38:00 +0000
To: public-webapps@w3.org
Message-ID: <bug-14592-2927@http.www.w3.org/Bugs/Public/>

http://www.w3.org/Bugs/Public/show_bug.cgi?id=14592

           Summary: EventSource should default to use "Use Credentials"
                    set to false for CORS
           Product: WebAppsWG
           Version: unspecified
          Platform: PC
        OS/Version: All
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Server-Sent Events (editor: Ian Hickson)
        AssignedTo: ian@hixie.ch
        ReportedBy: jonas@sicking.cc
         QAContact: member-webapi-cvs@w3.org
                CC: mike@w3.org, public-webapps@w3.org


In order to default to a more safe mode of operation EventSource should default
to not sending credentials in cross-origin requests. This also has the
advantage that it matches how XMLHttpRequest works.

In order to opt-in to using credentials a constructor argument should be used.
Something like the following WebIDL:

dictionary EventSourceInit {
  boolean withCredentials = false;
}

[Constructor(DOMString url, optional EventSourceInit optParams)]
interface EventSource : EventTarget {
  ...

  readonly boolean withCredentials;

  ...

};


This also matches the conclusion we came to during the mozilla security review
and is thus the solution we're for now planning on deploying (prefixed for now
of course).

-- 
Configure bugmail: http://www.w3.org/Bugs/Public/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

Received on Friday, 28 October 2011 19:38:12 UTC