Fixed Event Source to include the with credentials options

[cloudmark]

The cookies were not being sent to the client because of this missing option

[brycekahle]

This is intentional. See https://github.com/sockjs/sockjs-node#authorisation

[cloudmark]

I see what you mean. Can't this be avoided though if the X-Frame Option header is set from the server - X-Frame-Options SAMEORIGIN;?

[brycekahle]

That would assume the sockjs origin is the same as the serving page, which is not always the case. That header is also not supported by all of the browser versions this library targets.

[cloudmark]

Isn't support limited though for ALLOW-FROM support. SAMEORIGIN is supported by all modern browsers. I think it is quite common for the iframe to be included from the same origin. Would you oppose to such an option being exposed on the sockjs client or a tranport which enables this.

[brycekahle]

I disagree about them often being the same origin. A common setup has the real-time infrastructure separate from the website. The browsers this library supports extends way beyond "modern" as well.

X-Frame-Options would only be safe if you limited which browsers were able to connect. This means user-agent sniffing, which is not ideal.

[cloudmark]

I think it be fair to say that the eventsource withCredentials flag is dependent on the reactive server setup. Can't this flag be exposed so that FE developers can override the default (sane) behaviour in a scenario in which the reactive server setup is known (with the iframe xframe-options setup).

Which browsers do not support the X-Frame-Options: SAME ORIGIN? I'm curious.

Feel free to close this issue if you feel that this proposal is not inline with the projects vision.

[brycekahle]

IE <8, Opera < 10.5, Safari < 4