[tytho]

You cannot send custom headers when using the built-in EventSource[1] constructor, however you can pass the ‘include’ value to the credentials option. Many polyfills allow custom headers.

However you are correct that if you’re not using JavaScript and connecting directly to the SSE endpoint via something else besides a browser client, nothing is preventing anyone from using custom headers.

[1] https://developer.mozilla.org/en-US/docs/Web/API/EventSource...

[bullen]

Aha, well why do you need to send a header when you can just put the data on the GET URL like so "blabla?cookie=erWR32" for example?

In my example I use this code:

        var source = new EventSource('pull?name=one');
        source.onmessage = function (event) {
           document.getElementById('events').innerHTML += event.data;
        };

[tytho]

I think that works great! The complaint I’ve heard is that you may need to support multiple ways to authenticate opening up more attack surface.

[kreetx]

What if you use http-only cookies?

[tytho]

You can pass a ‘withCredentials’ option.

[withinboredom]

I’m pretty sure I saw him sending headers in the talk. Did you watch the talk?

[tytho]

He was likely using a polyfill. It’s definitely not in the spec and there’s an open discussion about trying to get it added: https://github.com/whatwg/html/issues/2177