W3C home > Mailing lists > Public > public-webapps@w3.org > April to June 2010

Re: [UMP] Request for Last Call

From: Kris Zyp <kris@sitepen.com>
Date: Thu, 08 Apr 2010 09:28:55 -0600
Message-ID: <4BBDF637.9040805@sitepen.com>
To: Maciej Stachowiak <mjs@apple.com>
CC: marcosc@opera.com, "Mark S. Miller" <erights@google.com>, Anne van Kesteren <annevk@opera.com>, public-webapps <public-webapps@w3.org>, Tyler Close <tyler.close@gmail.com>
Hash: SHA1

On 4/7/2010 9:50 PM, Maciej Stachowiak wrote:
> On Apr 7, 2010, at 3:01 PM, Marcos Caceres wrote:
>>>> Are there any
>>>> vendors considering dropping support for CORS in favor of just
>>>> supporting
>>>> UMP?
>> This question is quite relevant and I think deserves an answer. It
>> gives the WG a real idea about concensus if there is buy-in to
>> implement; though for comercial reasons some may not want to make
>> support public.
>> FWIW, I'm quite keen to review the draft (as I personally quite liked
>> the earlier draft and was even about to start reviewing this morning)
>> but am reluctant to do so because I'm not getting a sense of
>> significant support.
> Here's what I can tell you about Apple's current thinking:
> - We are currently shipping support CORS via XMLHttpRequest in
> Safari and WebKit.
> - We do not plan to drop support for CORS.
> - We do not plan to implement UMP directly from the UMP spec.
> - If CORS gains a no-credentials subset, and XHR2 gained an API to
> use that subset, we would likely implement that (no firm promises or
> timelines though).
> - If the CORS no-credentials subset ended up not matching UMP in
> some detail, then our implementation would follow CORS, not UMP.
> The reason for this is that the style of the CORS spec will help us
> understand where the if statements should go in our implementation.
> We do not want to implement UMP as a completely separate code path;
> we'd like it to be a mode of the code that already handles CORS.
> Thus, while we may end up implementing UMP by coincidence, our plans
> will likely not be directly affected by the UMP spec, whether or not
> it proceeds to Last Call, or the existence of a UMP test suite. (I'm
> actually not sure how it is even possible to make a UMP test suite
> without having a client API that does UMP processing.)

- From the user & JS toolkit perspective, I am in favor of CORS, and
appreciate Apple/Webkit's direction. UMP seems to profile HTTP too
much to provide the type of RESTful interoperability we really need
for cross-domain communication. I totally agree with the security
philosophy of UMP expressed in
http://www.w3.org/Security/wiki/Comparison_of_CORS_and_UMP, that
authorization needs be explicit and ambient authority will lead to
security breaches. However, UMP seems to presume too much about what
headers (like cookies) designate authority, when such generalizations
are not always true. At least to me, CORS seems to properly follow
this security approach, allowing servers to use explicit authorization
(permission tokens or other techniques) and designate and avoid
requests that might hazardously permit ambient authority, while still
balancing excellent support for HTTP-based communication, without
forcing users to resort to various ugly hacks to emulate existing HTTP
semantics. +1 for CORS.

I am in favor of the "no-credentials" flag on XHR for the UMP subset
of CORS as well, I think UMP definitely has value as a subset of CORS
that can be opted into.


- -- 
Kris Zyp
(503) 806-1841
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
Received on Thursday, 8 April 2010 15:31:50 UTC

This archive was generated by hypermail 2.3.1 : Friday, 27 October 2017 07:26:24 UTC