undefined | Better HN

0 pointstytho4y ago0 comments

You cannot send custom headers when using the built-in EventSource[1] constructor, however you can pass the ‘include’ value to the credentials option. Many polyfills allow custom headers.

However you are correct that if you’re not using JavaScript and connecting directly to the SSE endpoint via something else besides a browser client, nothing is preventing anyone from using custom headers.

[1] https://developer.mozilla.org/en-US/docs/Web/API/EventSource...

0 comments

bullen4y ago

Aha, well why do you need to send a header when you can just put the data on the GET URL like so "blabla?cookie=erWR32" for example?

In my example I use this code:

        var source = new EventSource('pull?name=one');
        source.onmessage = function (event) {
           document.getElementById('events').innerHTML += event.data;
        };

tythoOP4y ago

I think that works great! The complaint I’ve heard is that you may need to support multiple ways to authenticate opening up more attack surface.

kreetx4y ago

What if you use http-only cookies?

tythoOP4y ago

You can pass a ‘withCredentials’ option.

withinboredom4y ago

I’m pretty sure I saw him sending headers in the talk. Did you watch the talk?

tythoOP4y ago

He was likely using a polyfill. It’s definitely not in the spec and there’s an open discussion about trying to get it added: https://github.com/whatwg/html/issues/2177

j / k navigate · click thread line to collapse

0 pointstytho4y ago0 comments

You cannot send custom headers when using the built-in EventSource[1] constructor, however you can pass the ‘include’ value to the credentials option. Many polyfills allow custom headers.

[1] https://developer.mozilla.org/en-US/docs/Web/API/EventSource...

0 comments

bullen4y ago

Aha, well why do you need to send a header when you can just put the data on the GET URL like so "blabla?cookie=erWR32" for example?

In my example I use this code:

        var source = new EventSource('pull?name=one');
        source.onmessage = function (event) {
           document.getElementById('events').innerHTML += event.data;
        };

tythoOP4y ago

I think that works great! The complaint I’ve heard is that you may need to support multiple ways to authenticate opening up more attack surface.

kreetx4y ago

What if you use http-only cookies?

tythoOP4y ago

You can pass a ‘withCredentials’ option.

withinboredom4y ago

I’m pretty sure I saw him sending headers in the talk. Did you watch the talk?

tythoOP4y ago

He was likely using a polyfill. It’s definitely not in the spec and there’s an open discussion about trying to get it added: https://github.com/whatwg/html/issues/2177

j / k navigate · click thread line to collapse