Bug 19315 - Last-Event-ID header should be a simple header
Last-Event-ID header should be a simple header
Status: RESOLVED DUPLICATE of bug 17042
Product: WebAppsSec
Classification: Unclassified
Component: CORS
unspecified
PC Windows 3.1
: P2 normal
: ---
Assigned To: Anne
This bug has no owner yet - up for the taking
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2012-10-07 04:45 UTC by vic99999
Modified: 2013-10-28 14:19 UTC (History)
2 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description vic99999 2012-10-07 04:45:27 UTC
"Last-Event-ID" header, used by EventSource - http://dev.w3.org/html5/eventsource/ , should be a simple header

EventSource already allows CORS with this header without preflight

http://hg.mozilla.org/releases/mozilla-release/file/dc25520cbe46/content/base/src/nsXMLHttpRequest.cpp#l3277

Thanks

P.S.

Seems, Firefox allows to use this headers for simple CORS request:
accept, accept-language, content-language, content-type, last-event-id

And Webkit allows:
accept, accept-language, content-language, content-type, origin, referer
Comment 1 Anne 2012-10-12 13:44:28 UTC
That EventSource uses it does not mean everyone should be allowed to use it without preflight. It's just part of the EventSource protocol; it's not an author request header.
Comment 2 vic99999 2012-10-12 14:43:23 UTC
EventSource can not be polyfilled with XMLHttpRequest without it.

If EventSource can do this with CORS and passing through redirects, then there is no risks.
What is a main problem to include this header in simples headers list?
Comment 3 Anne 2012-10-12 14:57:27 UTC
Isn't it too late to polyfill?

EventSource is much more limited in scope than XMLHttpRequest is, so there is some (largely theoretical) risk.

I don't really mind either way, I suggest talking to some implementors.
Comment 4 vic99999 2012-10-12 16:16:08 UTC
>>Isn't it too late to polyfill?

I think, it is not.
Comment 5 Anne 2012-12-18 11:02:05 UTC
We decided at the F2F that we do not want to expand the list of simple headers. We want to make CORS more stable and this proposal does not have much merit (EventSource is in almost all browsers already, and in those it is not Last-Event-ID is not a simple header either so that doesn't help either way), and therefore is rejected.
Comment 6 Anne 2013-10-28 14:19:28 UTC

*** This bug has been marked as a duplicate of bug 17042 ***