[whatwg] Enhancement request: change EventSource to allow cross-domain access

On Sat, 18 Jun 2011 00:31:42 +0200, Ian Hickson <ian at hixie.ch> wrote:
> The reason we _didn't_ send credentials by default for <img> was that  
> most cross-origin images are going to be static, and it would be a huge  
> pain
> for the server to have to do per-connection work to determine the HTTP
> headers each time. With EventSource, that's a non-issue, since the server
> is going to have to do lots of much heavier per-connection work anyway.

I think we should change CORS to allow * for credentialed requests. People  
have already asked for that. That would also allow dropping the  
crossorigin="" attribute which complicates the request model for the  
elements it is applicable to a lot. (Too much, in my opinion.)

(I designed CORS in such a way it could be used for <img> and such without  
the need to introduce new syntax.)

Anne van Kesteren

Received on Saturday, 18 June 2011 01:01:07 UTC