top | item 39748101

(no title)

tytho | 1 year ago

The browser EventSource constructor does not have options to pass in your own headers. You can pass an option to have it use the cookies for the domain you’re using. There are libraries that allow you to pass in additional HTTP options, but they essentially reimplement the built-in EventSource object in order to do so. Not terribly difficult, fairly simple spec.

discuss

omgtehlion|1 year ago

Well, that constructor by default sends all the headers you have for your own domain and auth you are entitled to. This is how all other APIs in browsers work due to security and privacy concerns.

If you call to other domains, then this problem is no different to what we had with CORS years ago.

apitman|1 year ago

> This is how all other APIs in browsers work due to security and privacy concerns

They're probably comparing it to the fetch and XHR APIs, which both allow custom headers.