This is an archived snapshot of W3C's public bugzilla bug tracker, decommissioned in April 2019. Please see the home page for more details.

Bug 11835 - EventSource must support cross-domain requests (ala CORS)
Summary: EventSource must support cross-domain requests (ala CORS)
Status: RESOLVED FIXED
Alias: None
Product: WebAppsWG
Classification: Unclassified
Component: HISTORICAL - Server-Sent Events (editor: Ian Hickson) (show other bugs)
Version: unspecified
Hardware: Other other
: P2 major
Target Milestone: ---
Assignee: Ian 'Hixie' Hickson
QA Contact: public-webapps-bugzilla
URL: http://www.whatwg.org/specs/web-apps/...
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2011-01-21 19:07 UTC by contributor
Modified: 2011-06-18 08:27 UTC (History)
10 users (show)

See Also:

Attachments

Description contributor 2011-01-21 19:07:56 UTC 
Specification: http://dev.w3.org/html5/eventsource/
Section: http://www.whatwg.org/specs/web-apps/current-work/complete.html#top

Comment:
Please do *not* require a same-origin restriction in user agents (as currently
specified under "Security Considerations")!  This cross-origin data leakage
security issues have already been addressed by the  CORS specification
(http://www.w3.org/TR/cors/).  EventSource should simply adopt the policies
outlined there.

I consider this a critical flaw, as cross-domain requests are essential to
working around useragent connection limits.  Unless this is addressed,
developers will simply ignore native useragent implementations and write their
own, XHR+CORS-based, APIs (as they're already doing.)  This spec will be
nothing more than tepid inspiration for those 3rd-party solutions, and ignored
otherwise.

Posted from: 66.220.144.74
Comment 1 Robert Kieffer 2011-01-21 19:14:00 UTC 
Currently the EventSource spec imposes a same-origin restriction on user agents.  This is simply not acceptable.

EventSource requires a persistent connection, which conflicts with the per-domain connection limits imposed by user-agents.  The one viable workaround for this issue is to issue persistent requests on a subdomain, which requires the ability to do cross-origin requests.

I'm puzzled why EventSource wouldn't simply adopt the CORS spec for doing cross-domain requests?  Frankly, that seems so obvious a solution that I feel I must be missing something.... am I?
Comment 2 Tab Atkins Jr. 2011-01-21 19:14:41 UTC 
(In reply to comment #0)
> This cross-origin data leakage
> security issues have already been addressed by the  CORS specification
> (http://www.w3.org/TR/cors/).  EventSource should simply adopt the policies
> outlined there.

I don't understand how CORS lets us avoid a cross-origin restriction.  CORS is designed to *lift* cross-origin restrictions.  It can only operate if there's already a restriction in place for it to lift; it doesn't *create* any new restrictions.  Thus, we either don't put any restriction, and are stuck with it always being fully open, or we put a cross-origin restriction in, and let CORS selectively relax it when necessary.
Comment 3 Robert Kieffer 2011-01-21 23:17:57 UTC 
(In reply to comment #2)
> I don't understand how CORS lets us avoid a cross-origin restriction.  CORS is
> designed to *lift* cross-origin restrictions.  It can only operate if there's
> already a restriction in place for it to lift; it doesn't *create* any new
> restrictions.  Thus, we either don't put any restriction, and are stuck with it
> always being fully open, or we put a cross-origin restriction in, and let CORS
> selectively relax it when necessary.

Under, "Security Considerations", the spec currently reads, "user agents are required to block all cross-origin loads." There is no provision made for using CORS as a way to lift this restriction.  That's a problem.
Comment 4 Anne 2011-01-22 11:25:14 UTC 
EventSource will get CORS support in due course. CORS is still somewhat experimental at the moment so we are waiting a bit.
Comment 5 Ian 'Hixie' Hickson 2011-02-16 08:22:36 UTC 
Anne is correct in comment 4.
Comment 6 Louis-R 2011-06-14 16:28:09 UTC 
We are talking about a specification here, not an implementation. It is a draft, not an experimentation.
Let's allow CORS in the spec so that implementors can *experiment* with it and provide useful feedback about CORS and how it would play with EventSource.

Waiting for a spec to get more stable before experimenting with it seems illogical to me.
Comment 7 Glenn Adams 2011-06-16 18:30:34 UTC 
I propose to resolve this issue by removing all requirements pertaining to cross-origin uses. As such, this specification defines a mechanism (SSE), but when it starts placing requirements on how this mechanism is used (e.g., in a user agent), it ventures into policy requirements. There is no technical aspect of such policy requirements for which the mechanism itself is technically dependent. Therefore, the policy requirements should be removed from this spec, while continuing to note the relevant security issue. Different uses of the SSE mechanism may wish to employ different policies as well as different techniques to enforce specific policies. As such, this specification should be written in a manner to accommodate all such uses, including a policy that ignores the security issue (because, e.g., other security mechanisms effectively prevent the problem at a higher level).

If HTML5 wishes to normatively employ SSE *and* require CORS or equivalent protection, then the HTML5 specification should be the point at which such requirements are defined.

G.