[giow] (0) CORS-enable EventSource, for cross-site event streams

git-svn-id: http://svn.whatwg.org/webapps@6255 340c8d12-0b0e-0410-8428-c7bf67bfef74

complete.html

 
    <li>
 
-    <p><a href=#fetch>Fetch</a> the resource identified by the resulting
-    <a href=#absolute-url>absolute URL</a>, from the <a href=#entry-script>entry script</a>'s
-    <a href=#origin>origin</a>, with the <i>force same-origin flag</i> set,
-    and process it as described below.</p> <!-- not http-origin
-    privacy sensitive (looking forward to CORS) -->
-
-    <p class=note>The definition of the <a href=#fetch title=fetch>fetching</a> algorithm is such that if the
-    browser is already fetching the resource identified by the given
-    <a href=#absolute-url>absolute URL</a>, that connection can be reused, instead
-    of a new connection being established. All messages received up to
-    this point are dispatched immediately, in this case.</p>
+    <p>Do a <a href=#potentially-cors-enabled-fetch>potentially CORS-enabled fetch</a> of the
+    resulting <a href=#absolute-url>absolute URL</a>, with the <i>mode</i> being
+    <a href=#attr-crossorigin-use-credentials title=attr-crossorigin-use-credentials>Use
+    Credentials</a>, and the <i><a href=#origin>origin</a></i> being the <a href=#entry-script>entry
+    script</a>'s <a href=#origin>origin</a><!--, and the <i>default origin
+    behaviour</i> set to <i>fail</i> (though it has no effect in the
+    "Use Credentials" mode)-->, and process the resource obtained in
+    this fashion, if any, as described below.</p>
+
+    <p class=note>The definition of the <a href=#fetch title=fetch>fetching</a> algorithm (which is used by CORS) is
+    such that if the browser is already fetching the resource
+    identified by the given <a href=#absolute-url>absolute URL</a>, that connection
+    can be reused, instead of a new connection being established. All
+    messages received up to this point are dispatched immediately, in
+    this case.</p>
 
    </li>
 
   other subresource.</p>
 
   <p>HTTP 301 Moved Permanently, HTTP 302 Found, 303 See Other, and
-  307 Temporary Redirect responses are handled by the <a href=#fetch title=fetch>fetching</a> algorithm. In the case of 301
-  redirects, the user agent must also remember the new URL so that
+  307 Temporary Redirect responses are handled by the <a href=#fetch title=fetch>fetching</a> and CORS algorithms. In the case of
+  301 redirects, the user agent must also remember the new URL so that
   subsequent requests for this resource for this
   <code><a href=#eventsource>EventSource</a></code> object start with the URL given for the
   last 301 seen for requests for this object.</p>
   <code title=event-error>error</code> at the
   <code><a href=#eventsource>EventSource</a></code> object, and then, after a delay equal to
   the reconnection time of the event source, if the <code title=dom-EventSource-readyState><a href=#dom-eventsource-readystate>readyState</a></code> attribute is
-  still set to <code title=dom-EventSource-CONNECTING><a href=#dom-eventsource-connecting>CONNECTING</a></code>,
-  <a href=#fetch>fetch</a> the event source resource again from the same
-  <a href=#origin>origin</a> as the original request triggered by the <code title=dom-EventSource><a href=#dom-eventsource>EventSource()</a></code> constructor.</p>
+  still set to <code title=dom-EventSource-CONNECTING><a href=#dom-eventsource-connecting>CONNECTING</a></code>, once again do
+  a <a href=#potentially-cors-enabled-fetch>potentially CORS-enabled fetch</a> of the <a href=#absolute-url>absolute
+  URL</a> of the event source resource, with the <i>mode</i> being
+  <a href=#attr-crossorigin-use-credentials title=attr-crossorigin-use-credentials>Use
+  Credentials</a>, and the <i><a href=#origin>origin</a></i> being the same as the
+  <a href=#origin>origin</a> used in the original request triggered by the
+  <code title=dom-EventSource><a href=#dom-eventsource>EventSource()</a></code> constructor<!--,
+  and the <i>default origin behaviour</i> set to <i>fail</i> (though
+  it has no effect in the "Use Credentials" mode)-->, and process the
+  resource obtained in this fashion, if any, as described in this
+  section.</p>
 
   <p>When a user agent is to <dfn id=fail-the-connection>fail the connection</dfn>, the user
   agent must set the <code title=dom-EventSource-readyState><a href=#dom-eventsource-readystate>readyState</a></code> attribute to

source

 
    <li>
 
-    <p><span>Fetch</span> the resource identified by the resulting
-    <span>absolute URL</span>, from the <span>entry script</span>'s
-    <span>origin</span>, with the <i>force same-origin flag</i> set,
-    and process it as described below.</p> <!-- not http-origin
-    privacy sensitive (looking forward to CORS) -->
+    <p>Do a <span>potentially CORS-enabled fetch</span> of the
+    resulting <span>absolute URL</span>, with the <i>mode</i> being
+    <span title="attr-crossorigin-use-credentials">Use
+    Credentials</span>, and the <i>origin</i> being the <span>entry
+    script</span>'s <span>origin</span><!--, and the <i>default origin
+    behaviour</i> set to <i>fail</i> (though it has no effect in the
+    "Use Credentials" mode)-->, and process the resource obtained in
+    this fashion, if any, as described below.</p>
 
     <p class="note">The definition of the <span
-    title="fetch">fetching</span> algorithm is such that if the
-    browser is already fetching the resource identified by the given
-    <span>absolute URL</span>, that connection can be reused, instead
-    of a new connection being established. All messages received up to
-    this point are dispatched immediately, in this case.</p>
+    title="fetch">fetching</span> algorithm (which is used by CORS) is
+    such that if the browser is already fetching the resource
+    identified by the given <span>absolute URL</span>, that connection
+    can be reused, instead of a new connection being established. All
+    messages received up to this point are dispatched immediately, in
+    this case.</p>
 
    </li>
 
 
   <p>HTTP 301 Moved Permanently, HTTP 302 Found, 303 See Other, and
   307 Temporary Redirect responses are handled by the <span
-  title="fetch">fetching</span> algorithm. In the case of 301
-  redirects, the user agent must also remember the new URL so that
+  title="fetch">fetching</span> and CORS algorithms. In the case of
+  301 redirects, the user agent must also remember the new URL so that
   subsequent requests for this resource for this
   <code>EventSource</code> object start with the URL given for the
   last 301 seen for requests for this object.</p>
   the reconnection time of the event source, if the <code
   title="dom-EventSource-readyState">readyState</code> attribute is
   still set to <code
-  title="dom-EventSource-CONNECTING">CONNECTING</code>,
-  <span>fetch</span> the event source resource again from the same
-  <span>origin</span> as the original request triggered by the <code
-  title="dom-EventSource">EventSource()</code> constructor.</p>
+  title="dom-EventSource-CONNECTING">CONNECTING</code>, once again do
+  a <span>potentially CORS-enabled fetch</span> of the <span>absolute
+  URL</span> of the event source resource, with the <i>mode</i> being
+  <span title="attr-crossorigin-use-credentials">Use
+  Credentials</span>, and the <i>origin</i> being the same as the
+  <span>origin</span> used in the original request triggered by the
+  <code title="dom-EventSource">EventSource()</code> constructor<!--,
+  and the <i>default origin behaviour</i> set to <i>fail</i> (though
+  it has no effect in the "Use Credentials" mode)-->, and process the
+  resource obtained in this fashion, if any, as described in this
+  section.</p>
 
   <p>When a user agent is to <dfn>fail the connection</dfn>, the user
   agent must set the <code