[whatwg] Enhancement request: change EventSource to allow cross-domain access

Per-Erik Brodin per-erik.brodin at ericsson.com
Tue Jun 21 07:08:01 PDT 2011

On 2011-06-20 21:28, Jonas Sicking wrote:
> On Mon, Jun 20, 2011 at 7:13 AM, Per-Erik Brodin
> <per-erik.brodin at ericsson.com>  wrote:
>> On 2011-06-20 12:53, Jonas Sicking wrote:
>>> Headers that the implementation adds doesn't need to be added to this
>>> list. For example the "Host" header is set by the browser in almost
>>> all situations, but it does not need to be added to the list of
>>> "simple headers". Indeed, adding in there would an out right bad idea.
>>> So I'm not convinced that the Last-Event-ID header needs to be in the
>>> list.
>> Only "custom request headers" are matched against the list of "simple
>> headers" and "Host" is not a custom header set by the EventSource
>> implementation, hence there is no need to add it to the list.
>> In XHR Level 2 the custom request headers are the "author request headers".
>> An option would be to always match the list of simple headers against author
>> request headers only.
> It seems like you are saying exactly what I was saying? Am I missing something?

What I am saying is that currently CORS defines "custom request headers" 
and that can be interpreted as all headers that are set by the API 
implementations (such as "Last-Event-ID" set by EventSource but not 
including the headers normally set by the HTTP loader, such as "Host"), 
regardless if they are author supplied or not. Since this has the 
downside that all new specifications that want to use CORS will have to 
rely on the CORS spec being updated if any new custom headers are going 
to be used, I agree with your proposal to match only author supplied 
headers against the list of simple headers.


More information about the whatwg mailing list