[whatwg] Server-Sent Events and CORS

Nicholas Zakas nzakas at yahoo-inc.com
Tue Oct 19 12:24:25 PDT 2010

In the latest draft of Server-Sent Events, the EventSource object upholds the same origin policy for event stream resources. Although CORS is mentioned in the references section, it's not mentioned in the body of the spec, so I was wondering if this has been brought up before?

The reason I bring this up now is that it seems cross-origin requests are far more important for hanging GET requests than for normal XHR. Consider a large scale web application that uses Apache for serving pages. You clearly do not want Apache handling high-duration requests on top of normal page serving, as the former could prevent the latter if there are enough simultaneous connections. In practice, you'd want a separate box or series of boxes to handle just the hanging GETs, possibly running Jetty or NodeJS, so that the hanging GET requests don't affect the performance of the page serving.

IMHO, CORS really needs to be included as part of any implementation so that this can be used at scale. Otherwise, developers would be forced to use an iframe/postMessage() mechanism to work around the same origin policy. Are there any plans to formally include CORS in the spec?



Commander Lock: "Dammit Morpheus, not everyone believes what you believe!"
Morpheus: "My beliefs do not require them to."

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.whatwg.org/pipermail/whatwg-whatwg.org/attachments/20101019/e4966619/attachment.htm>

More information about the whatwg mailing list