canmove, Confirmed users, Bureaucrats and Sysops emeriti
2,776
edits
Security/Reviews/CrossOriginEventSource: Difference between revisions
Security/Reviews/CrossOriginEventSource (view source)
Revision as of 19:25, 4 January 2012
, 4 January 2012no edit summary
No edit summary |
|||
| (One intermediate revision by the same user not shown) | |||
| Line 1: | Line 1: | ||
== Introduce Feature | == Introduce Feature == | ||
Allow Cross-Origin URLs in EventSource (Server-Sent Events) - {{bug|664179}} | |||
=== Goal of Feature, what is trying to be achieved (problem solved, use cases, etc) === | === Goal of Feature, what is trying to be achieved (problem solved, use cases, etc) === | ||
Push-based event triggers, based on CORS/XHR stuff. Syntax sugar to make push and event notifications easier and require less scripting support for connection maintenance, etc. | Push-based event triggers, based on CORS/XHR stuff. Syntax sugar to make push and event notifications easier and require less scripting support for connection maintenance, etc. | ||
| Line 42: | Line 42: | ||
Hence we should default to not sending cookies and enable the ability to opt-in to cookies. If other implementations go other ways we can reevaluate this decision at a later point. | Hence we should default to not sending cookies and enable the ability to opt-in to cookies. If other implementations go other ways we can reevaluate this decision at a later point. | ||
To mitigate the risk of misunderstanding what it means to opt in to CORS (i.e. that you're opting in to more than just cross-site EventSource) we should make sure to make it clear in documentation that enabling CORS on a stream exposes the full contents of the stream to the loading site. While we could attempt to mitigate it through technical means, the added complexity likely adds further risks of misunderstandings. | To mitigate the risk of misunderstanding what it means to opt in to CORS (i.e. that you're opting in to more than just cross-site EventSource) we should make sure to make it clear in documentation that enabling CORS on a stream exposes the full contents of the stream to the loading site. While we could attempt to mitigate it through technical means, the added complexity likely adds further risks of misunderstandings. | ||
[[Category:SecReview|CrossOriginEventSource]] | |||