[whatwg] Revised Plan for Server-sent DOM events
Kornel Lesinski
kornel at osiolki.net
Mon Jan 7 17:10:39 PST 2008
On Sat, 05 Jan 2008 06:51:29 -0000, Henry Mason <hmason at mac.com> wrote:
> - Unnecessary dependency on DOM Events
This feature is inherently event-based. I think it does make sense to
re-use existing framework for event handling.
However, I haven't found use-case for remote triggering of standard
events, like mouse and keyboard events. I always use my custom events,
because I don't want to couple server-side code with details of particular
user interface.
> - Redundancy with already existing techniques, especially XMLHttpRequest
It's much simpler to use and allows browser to manage the connection.
> I propose that we remove support for non-message events; that is, allow
> only events with MessageEvent interface.
+1
Scripts that need that functionality can create wrapper on client-side
that will dispatch other types of events.
> The critically cool part, however, is that since MessageEvents store
> their domain and URI origin, it will be safe to allow for cross-domain
> messaging through this server-sent events.
I don't see how it makes cross-domain messaging safe. Without
Access-Control mechanism, what would prevent malicious site from reading
event-source of e.g. users' gmail chat? (variant of CSRF attack)
--
regards, Kornel Lesiński
More information about the whatwg
mailing list