[whatwg] Revised Plan for Server-sent DOM events

Kornel Lesinski kornel at osiolki.net
Mon Jan 7 17:10:39 PST 2008


On Sat, 05 Jan 2008 06:51:29 -0000, Henry Mason <hmason at mac.com> wrote:

> - Unnecessary dependency on DOM Events

This feature is inherently event-based. I think it does make sense to  
re-use existing framework for event handling.

However, I haven't found use-case for remote triggering of standard  
events, like mouse and keyboard events. I always use my custom events,  
because I don't want to couple server-side code with details of particular  
user interface.

> - Redundancy with already existing techniques, especially XMLHttpRequest

It's much simpler to use and allows browser to manage the connection.

> I propose that we remove support for non-message events; that is, allow  
> only events with MessageEvent interface.

+1

Scripts that need that functionality can create wrapper on client-side  
that will dispatch other types of events.

> The critically cool part, however, is that since MessageEvents store  
> their domain and URI origin, it will be safe to allow for cross-domain  
> messaging through this server-sent events.

I don't see how it makes cross-domain messaging safe. Without  
Access-Control mechanism, what would prevent malicious site from reading  
event-source of e.g. users' gmail chat? (variant of CSRF attack)

-- 
regards, Kornel Lesiński



More information about the whatwg mailing list