[whatwg] Enhancement request: change EventSource to allow cross-domain access
Ian Hickson
ian at hixie.ch
Fri Jun 17 15:31:42 PDT 2011
On Fri, 17 Jun 2011, Jonas Sicking wrote:
> > On Wed, 1 Jun 2011, Jonas Sicking wrote:
> >>
> >> We should probably consider adding the ability to specify if you want
> >> the request to happen with or without credentials (and default to the
> >> safe option which is without credentials).
> >
> > Why?
>
> For the same reasons that we're doing it for XHR and for <img>s.
For EventSource, the vast majority of streams are going to be
user-specific, as far as I can tell, so the default should probably just
be to send credentials. (That's what happens with <script>, the current
way people try to solve this problem.)
The reason we _didn't_ send credentials by default for <img> was that most
cross-origin images are going to be static, and it would be a huge pain
for the server to have to do per-connection work to determine the HTTP
headers each time. With EventSource, that's a non-issue, since the server
is going to have to do lots of much heavier per-connection work anyway.
> People will likely want to create even streams that are specific to a
> user. For example indicating that the value of a users stock portfolio
> has gone up or down.
Agreed. But what's the use case for _not_ sending credentials here?
--
Ian Hickson U+1047E )\._.,--....,'``. fL
http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,.
Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
More information about the whatwg
mailing list