W3C home > Mailing lists > Public > whatwg@whatwg.org > January 2008

[whatwg] Revised Plan for Server-sent DOM events

From: Kornel Lesinski <kornel@osiolki.net>
Date: Tue, 08 Jan 2008 01:10:39 -0000
Message-ID: <op.t4k6v12g4suneb@aimac.local>
On Sat, 05 Jan 2008 06:51:29 -0000, Henry Mason <hmason at mac.com> wrote:

> - Unnecessary dependency on DOM Events

This feature is inherently event-based. I think it does make sense to  
re-use existing framework for event handling.

However, I haven't found use-case for remote triggering of standard  
events, like mouse and keyboard events. I always use my custom events,  
because I don't want to couple server-side code with details of particular  
user interface.

> - Redundancy with already existing techniques, especially XMLHttpRequest

It's much simpler to use and allows browser to manage the connection.

> I propose that we remove support for non-message events; that is, allow  
> only events with MessageEvent interface.


Scripts that need that functionality can create wrapper on client-side  
that will dispatch other types of events.

> The critically cool part, however, is that since MessageEvents store  
> their domain and URI origin, it will be safe to allow for cross-domain  
> messaging through this server-sent events.

I don't see how it makes cross-domain messaging safe. Without  
Access-Control mechanism, what would prevent malicious site from reading  
event-source of e.g. users' gmail chat? (variant of CSRF attack)

regards, Kornel Lesi?ski
Received on Monday, 7 January 2008 17:10:39 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:59:00 UTC