In the previous chapters all our data push examples have been open to everyone. In this chapter I will show how we can limit access, whether by IP, cookie, or password. The good news is that it is as straightforward as protecting any other resource on your server.
But that is not the only topic of this chapter. There has been another restriction underlying all the examples in the earlier chapters, and the time has come to deal with that one, too. The restriction is that both your HTML file (that makes the SSE request and receives the data) and your server-side script (that sends the data) have had to reside on the same server. Well, server is too imprecise: they have to be in the same origin. Later in this chapter, we will look at the definition of an origin and then how to get around this restriction.
These two topics are closely related, but notice that they are orthogonal: your data push can fail because either you lack the authorization (IP, cookie, password) or because you come from a disallowed origin, or both. For data push to be successful, the client has to satisfy both.
If you are familiar with web applications and want the distilled version of this chapter, authentication and CORS mostly work just like they do for Ajax; but watch out for browser support and bugs.
This chapter will finish by taking the FX demo application from the earlier chapters and showing how to add authentication and CORS support to it.