[whatwg] Enhancement request: change EventSource to allow cross-domain access

Adam Barth w3c at adambarth.com
Sat Jun 18 06:22:22 PDT 2011


On Sat, Jun 18, 2011 at 1:01 AM, Anne van Kesteren <annevk at opera.com> wrote:
> On Sat, 18 Jun 2011 00:31:42 +0200, Ian Hickson <ian at hixie.ch> wrote:
>>
>> The reason we _didn't_ send credentials by default for <img> was that most
>> cross-origin images are going to be static, and it would be a huge pain
>> for the server to have to do per-connection work to determine the HTTP
>> headers each time. With EventSource, that's a non-issue, since the server
>> is going to have to do lots of much heavier per-connection work anyway.
>
> I think we should change CORS to allow * for credentialed requests. People
> have already asked for that. That would also allow dropping the
> crossorigin="" attribute which complicates the request model for the
> elements it is applicable to a lot. (Too much, in my opinion.)
>
> (I designed CORS in such a way it could be used for <img> and such without
> the need to introduce new syntax.)

Without the crossorigin attribute, we'd need to send the Origin header
with every image request.  That might or might not be desirable, but
it's something to consider.

Adam


More information about the whatwg mailing list