W3C home > Mailing lists > Public > whatwg@whatwg.org > June 2011

[whatwg] Enhancement request: change EventSource to allow cross-domain access

From: Jonas Sicking <jonas@sicking.cc>
Date: Thu, 23 Jun 2011 19:46:18 -0700
Message-ID: <BANLkTikuyYxyzZH+ucu=b59xazrWXb1YCw@mail.gmail.com>
On Thu, Jun 23, 2011 at 5:09 PM, ilya goberman <goberman at msn.com> wrote:
> Jonas,
> It is personalized on?something that?we send in the URL ("cleint id" I
> mentioned below)?which identifies which user's data is requested. We do not
> use cookies.
>
> Ian was kind enough to explain to me how EventSource will function.
> Apparently EventSource will have withCredentials always set to true (false
> is not allowed).
> That means that using * for Access-Control-Allow-Origin will never work for
> the EventSource and I have to put request's "Origin" value in the response's
> Access-Control-Allow-Origin to enable CORS.
> It is not a huge deal,?unless there are?some proxies that will not pass
> Origin through (I do not really know if there are any).

The main argument for always having withCredentials set to true is
that there was a lack of use cases for setting it to false. However
this appears that whatever you're building is at least one such use
case.

I'm actually a bit reluctant to use the more complex and sensitive
security model by default. It's very easy for people to share more
information than they need and would be a reason for people to use XHR
instead of EventSource which is unfortunate.

I think we'll end up prototyping this soon in Firefox at which point
this feature will have to pass through security review when we'll look
at this more closely.

/ Jonas
Received on Thursday, 23 June 2011 19:46:18 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:59:34 UTC