I have read through the w3 spec @ http://www.w3.org/TR/eventsource/ for how EventSource/SSE works, but I cant find any good information about how a private stream should be created.
Basically, I want to create a way to send private data to specific user-sessions. Both the ideas below seems to do what I want, but I am not so sure how secure they are.
Example; does every browser connecting to the same EventSource URL receive the same data, and the browser keeps track of what event-name it wants?
var source = new EventSource('/stream');
source.addEventListener('l0ngr4nd0mSessionID', function(e){
console.log('Received a private message:', e.data);
});
Will anyone without the event-name of l0ngr4nd0mSessionID be able to get this message?
What about this case;
var source = new EventSource('/stream/l0ngr4nd0mSessionID ');
source.addEventListener('private', function(e){
console.log('Received a private message:', e.data);
});
Is these examples just as good as setting the withCredentials option? My sse server is a seperate server than the main web-server, so I would prefeer to not send authentication-data using withCredentials and rather use one of the examples.