- From: Ian Hickson <ian@hixie.ch>
- Date: Fri, 17 Jun 2011 22:31:42 +0000 (UTC)
On Fri, 17 Jun 2011, Jonas Sicking wrote: > > On Wed, 1 Jun 2011, Jonas Sicking wrote: > >> > >> We should probably consider adding the ability to specify if you want > >> the request to happen with or without credentials (and default to the > >> safe option which is without credentials). > > > > Why? > > For the same reasons that we're doing it for XHR and for <img>s. For EventSource, the vast majority of streams are going to be user-specific, as far as I can tell, so the default should probably just be to send credentials. (That's what happens with <script>, the current way people try to solve this problem.) The reason we _didn't_ send credentials by default for <img> was that most cross-origin images are going to be static, and it would be a huge pain for the server to have to do per-connection work to determine the HTTP headers each time. With EventSource, that's a non-issue, since the server is going to have to do lots of much heavier per-connection work anyway. > People will likely want to create even streams that are specific to a > user. For example indicating that the value of a users stock portfolio > has gone up or down. Agreed. But what's the use case for _not_ sending credentials here? -- Ian Hickson U+1047E )\._.,--....,'``. fL http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
Received on Friday, 17 June 2011 15:31:42 UTC