Re: [whatwg] Enhancement request: change EventSource to allow cross-domain access
On Sat, 18 Jun 2011 00:31:42 +0200, Ian Hickson i...@hixie.ch wrote: The reason we _didn't_ send credentials by default for img was that most cross-origin images are going to be static, and it would be a huge pain for the server to have to do per-connection work to determine the HTTP headers each time. With EventSource, that's a non-issue, since the server is going to have to do lots of much heavier per-connection work anyway. I think we should change CORS to allow * for credentialed requests. People have already asked for that. That would also allow dropping the crossorigin= attribute which complicates the request model for the elements it is applicable to a lot. (Too much, in my opinion.) (I designed CORS in such a way it could be used for img and such without the need to introduce new syntax.) -- Anne van Kesteren http://annevankesteren.nl/
Re: [whatwg] Enhancement request: change EventSource to allow cross-domain access
On Sat, Jun 18, 2011 at 1:01 AM, Anne van Kesteren ann...@opera.com wrote: On Sat, 18 Jun 2011 00:31:42 +0200, Ian Hickson i...@hixie.ch wrote: The reason we _didn't_ send credentials by default for img was that most cross-origin images are going to be static, and it would be a huge pain for the server to have to do per-connection work to determine the HTTP headers each time. With EventSource, that's a non-issue, since the server is going to have to do lots of much heavier per-connection work anyway. I think we should change CORS to allow * for credentialed requests. People have already asked for that. That would also allow dropping the crossorigin= attribute which complicates the request model for the elements it is applicable to a lot. (Too much, in my opinion.) (I designed CORS in such a way it could be used for img and such without the need to introduce new syntax.) Without the crossorigin attribute, we'd need to send the Origin header with every image request. That might or might not be desirable, but it's something to consider. Adam
Re: [whatwg] Enhancement request: change EventSource to allow cross-domain access
On 06/18/2011 01:31 AM, Ian Hickson wrote: On Fri, 17 Jun 2011, Jonas Sicking wrote: On Wed, 1 Jun 2011, Jonas Sicking wrote: We should probably consider adding the ability to specify if you want the request to happen with or without credentials (and default to the safe option which is without credentials). Why? For the same reasons that we're doing it for XHR and forimgs. For EventSource, the vast majority of streams are going to be user-specific, as far as I can tell, so the default should probably just be to send credentials. It is a very strange API inconsistency if XHR defaults to credentials=false, but EventSource to credentials=true. -Olli
Re: [whatwg] Enhancement request: change EventSource to allow cross-domain access
On Sat, 18 Jun 2011 15:23:21 +0200, Olli Pettay olli.pet...@helsinki.fi wrote: It is a very strange API inconsistency if XHR defaults to credentials=false, but EventSource to credentials=true. Not if we do not expose all of the features XMLHttpRequest has. Besides, .withCredentials was a bad idea. That is where the inconsistency with other cross-origin requests started. (In retrospect I very much wish I fought harder to keep the consistency.) -- Anne van Kesteren http://annevankesteren.nl/
Re: [whatwg] Enhancement request: change EventSource to allow cross-domain access
On 2011-06-17 21:57, Ian Hickson wrote: On Wed, 1 Jun 2011, ilya goberman wrote: Can EventSource be enhanced to support cross-domain requests via Access-Control-Allow-Origin header, just like it is already done for XHR? See http://en.wikipedia.org/wiki/XMLHttpRequest#Cross-domain_requests. Done. Great news! The same-origin check in step 4 under When the EventSource() constructor is invoked .. is still present. According to the CORS specification, a request is not to be terminated even when the resource sharing check fails. However, when using CORS with EventSource I think it may be justified since the response is typically not returned right away. The Cache-Control request header used with EventSource is not in the list of simple request headers and a preflight request is not really an option here in my opinion. //Per-Erik