[whatwg] Enhancement request: change EventSource to allow cross-domain access
jonas at sicking.cc
Thu Jun 23 19:46:18 PDT 2011
On Thu, Jun 23, 2011 at 5:09 PM, ilya goberman <goberman at msn.com> wrote:
> It is personalized on something that we send in the URL ("cleint id" I
> mentioned below) which identifies which user's data is requested. We do not
> Ian was kind enough to explain to me how EventSource will function.
> Apparently EventSource will have withCredentials always set to true (false
> is not allowed).
> That means that using * for Access-Control-Allow-Origin will never work for
> the EventSource and I have to put request's "Origin" value in the response's
> Access-Control-Allow-Origin to enable CORS.
> It is not a huge deal, unless there are some proxies that will not pass
> Origin through (I do not really know if there are any).
The main argument for always having withCredentials set to true is
that there was a lack of use cases for setting it to false. However
this appears that whatever you're building is at least one such use
I'm actually a bit reluctant to use the more complex and sensitive
security model by default. It's very easy for people to share more
information than they need and would be a reason for people to use XHR
instead of EventSource which is unfortunate.
I think we'll end up prototyping this soon in Firefox at which point
this feature will have to pass through security review when we'll look
at this more closely.
More information about the whatwg