On Sat, 05 Jan 2008 06:51:29 -0000, Henry Mason <[EMAIL PROTECTED]> wrote:
- Unnecessary dependency on DOM Events
This feature is inherently event-based. I think it does make sense to
re-use existing framework for event handling.
However, I haven't found use-case for remote triggering of standard
events, like mouse and keyboard events. I always use my custom events,
because I don't want to couple server-side code with details of particular
user interface.
- Redundancy with already existing techniques, especially XMLHttpRequest
It's much simpler to use and allows browser to manage the connection.
I propose that we remove support for non-message events; that is, allow
only events with MessageEvent interface.
+1
Scripts that need that functionality can create wrapper on client-side
that will dispatch other types of events.
The critically cool part, however, is that since MessageEvents store
their domain and URI origin, it will be safe to allow for cross-domain
messaging through this server-sent events.
I don't see how it makes cross-domain messaging safe. Without
Access-Control mechanism, what would prevent malicious site from reading
event-source of e.g. users' gmail chat? (variant of CSRF attack)
--
regards, Kornel LesiĆski
