[Bug 14592] New: EventSource should default to use "Use Credentials" set to false for CORS

bugzilla Fri, 28 Oct 2011 12:39:17 -0700

http://www.w3.org/Bugs/Public/show_bug.cgi?id=14592


           Summary: EventSource should default to use "Use Credentials"
                    set to false for CORS
           Product: WebAppsWG
           Version: unspecified
          Platform: PC
        OS/Version: All
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Server-Sent Events (editor: Ian Hickson)
        AssignedTo: [email protected]
        ReportedBy: [email protected]
         QAContact: [email protected]
                CC: [email protected], [email protected]


In order to default to a more safe mode of operation EventSource should default
to not sending credentials in cross-origin requests. This also has the
advantage that it matches how XMLHttpRequest works.

In order to opt-in to using credentials a constructor argument should be used.
Something like the following WebIDL:

dictionary EventSourceInit {
  boolean withCredentials = false;
}

[Constructor(DOMString url, optional EventSourceInit optParams)]
interface EventSource : EventTarget {
  ...

  readonly boolean withCredentials;

  ...

};


This also matches the conclusion we came to during the mozilla security review
and is thus the solution we're for now planning on deploying (prefixed for now
of course).

-- 
Configure bugmail: http://www.w3.org/Bugs/Public/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

[Bug 14592] New: EventSource should default to use "Use Credentials" set to false for CORS

Reply via email to