I'm trying to use EventSource for a streaming connection to a server. But I need to set a session key header on the underlying XHR request. How do I access the XHR from the EventSource object if it's even possible? Thanks!

Note that I'm not sure if CORS is even supported with EventStream yet, which would prevent this from working for me in the first place, but I've read in certain places that it should be supported...

First, the good news is just about every browser supporting SSE also has CORS supported and working with it. (A year ago there were issues, so you will only hit problems if dealing with users who insist on running an out of date version of a modern auto-updating browser, which is an unusual combination.)

• Now the bad news: you cannot set headers on EventSource requests. You will need to go back to good 'ole XHR streaming if you want to be able to set headers.

• On the other hand, cookies are sent, so if your session information can be sent by cookie then that will work.

• On the other other hand, cookies clash with CORS; so if you need both SSE and authentication with 3rd party sites you are going to be frustrated. You have to fallback to using XHR.

Apologies for the blatant plug, but the best source of information I know of, on both these topics, is chapter 9 of my book on SSE. It was the most difficult chapter to write :-).

An alternative approach would be to send your authorization token through URL and in combination with HTTPS it would still be safe from token hijacking.