[whatwg] Enhancement request: change EventSource to allow cross-domain access

Ian Hickson ian at hixie.ch
Tue Dec 6 15:49:26 PST 2011

On Thu, 23 Jun 2011, Per-Erik Brodin wrote:
> Another question was raised in 
>    https://bugs.webkit.org/show_bug.cgi?id=61862#c17
> The origin set on the dispatched message events is specified to be the 
> "origin of the event stream's URL". Is this the URL passed to the 
> EventSource constructor or the URL after some potential redirects (even 
> temporary)?

Fixed to be the final URL (it used to not matter).

On Thu, 23 Jun 2011, ilya goberman wrote:
> It is personalized on something that we send in the URL ("cleint id" I 
> mentioned below) which identifies which user's data is requested. We do 
> not use cookies.
> Ian was kind enough to explain to me how EventSource will function.
> Apparently EventSource will have withCredentials always set to true 
> (false is not allowed). That means that using * for 
> Access-Control-Allow-Origin will never work for the EventSource and I 
> have to put request's "Origin" value in the response's 
> Access-Control-Allow-Origin to enable CORS. It is not a huge deal, 
> unless there are some proxies that will not pass Origin through (I do 
> not really know if there are any). Thanks

FWIW, I've since changed the spec so that you can specify whether to send 
credentials or not. When credentials aren't sent, you can use the * form.

Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'

More information about the whatwg mailing list