[whatwg] Enhancement request: change EventSource to allow cross-domain access

Jonas Sicking jonas at sicking.cc
Thu Jun 23 19:46:18 PDT 2011


On Thu, Jun 23, 2011 at 5:09 PM, ilya goberman <goberman at msn.com> wrote:
> Jonas,
> It is personalized on something that we send in the URL ("cleint id" I
> mentioned below) which identifies which user's data is requested. We do not
> use cookies.
>
> Ian was kind enough to explain to me how EventSource will function.
> Apparently EventSource will have withCredentials always set to true (false
> is not allowed).
> That means that using * for Access-Control-Allow-Origin will never work for
> the EventSource and I have to put request's "Origin" value in the response's
> Access-Control-Allow-Origin to enable CORS.
> It is not a huge deal, unless there are some proxies that will not pass
> Origin through (I do not really know if there are any).

The main argument for always having withCredentials set to true is
that there was a lack of use cases for setting it to false. However
this appears that whatever you're building is at least one such use
case.

I'm actually a bit reluctant to use the more complex and sensitive
security model by default. It's very easy for people to share more
information than they need and would be a reason for people to use XHR
instead of EventSource which is unfortunate.

I think we'll end up prototyping this soon in Firefox at which point
this feature will have to pass through security review when we'll look
at this more closely.

/ Jonas


More information about the whatwg mailing list