This is an archived snapshot of W3C's public bugzilla bug tracker, decommissioned in April 2019. Please see the home page for more details.
http://www.html5rocks.com/en/tutorials/eventsource/basics/#toc-security "Authors should check the origin attribute to ensure that messages are only accepted from domains that they expect to receive messages from. Otherwise, bugs in the author's message handling code could be exploited by hostile sites." That warning is especially relevant for window.postMessage() messages and not so much EventSource and WebSocket and this should be marked in the spec. see http://krijnhoetmer.nl/irc-logs/whatwg/20111122#l-381
Upon further investigation, that paragraph is already deep within the window.postMessage() part of the spec, it's not generically near the MessageEvent object nor anywhere near the EventSource stuff. Not sure how to make this better.