Re: [UMP] Subsetting (was: [XHR2] AnonXMLHttpRequest()) from Jonas Sicking on 2010-04-12 (public-webapps@w3.org from April to June 2010)

From: Jonas Sicking <jonas@sicking.cc>
Date: Mon, 12 Apr 2010 16:14:46 -0700
To: Tyler Close <tyler.close@gmail.com>
Cc: Maciej Stachowiak <mjs@apple.com>, Arthur Barstow <art.barstow@nokia.com>, Anne van Kesteren <annevk@opera.com>, public-webapps <public-webapps@w3.org>
Message-ID: <x2g63df84f1004121614re2f44460pdc8b02b743a04d8c@mail.gmail.com>

On Mon, Apr 12, 2010 at 3:48 PM, Tyler Close <tyler.close@gmail.com> wrote:
> On Mon, Apr 12, 2010 at 3:41 PM, Jonas Sicking <jonas@sicking.cc> wrote:
>> On Mon, Apr 12, 2010 at 3:10 PM, Tyler Close <tyler.close@gmail.com> wrote:
>>>> I think even taken together, your set of subset conditions does guarantee
>>>> that a CORS client implementation is automatically also a UMP client
>>>> implementation. If we went that way, then we would have to consider whether
>>>> there will ever be client implementors of UMP itself, or it will be
>>>> impossible to fulfill CR exit criteria.
>>>
>>> If there are implementers of CORS, then by definition, there are
>>> implementers of UMP. I don't see anything in CR exit criteria that
>>> requires implementers to swear not to also implement other
>>> specifications.
>>
>> So is sending the 'Origin' and 'Referer' headers ok per UMP?
>
> Sending "Origin: null" is OK per UMP. Similarly, an "null"-like value
> for Referer would be OK.
>
>> The current CORS implementation in firefox always sends those headers.
>
> Then that implementation is only compatible with UMP when used in
> combination with some mechanism for putting the requesting content in
> an anonymous <iframe>. Ideally, Firefox would allow this to be
> expressed via the messaging API instead of requiring the anonymous
> <iframe>.
>
>> I would have imagined that UMP would explicitly forbid any ambient
>> authority or identity information other than IP number?
>
> Correct.

It seems to me then that Firefox implements CORS, but does not
implement UMP. The fact that a web page can use javascript to
implement UMP using the primitives implemented by the browser doesn't
change the fact that the browser doesn't implement UMP. We have had
similar situations in the past where javascript libraries have been
able to implement various CSS features, despite those features not
being natively implemented by the browser. I also think it would be
possible to implement CORS purely in javascript as well, as long as
you can set the 'Origin' header for same-site XHR requests (this is
possible in older browser versions).

We have traditionally not counted such javascript implementations
towards the "two implementations" requirement.

/ Jonas

Received on Monday, 12 April 2010 23:15:33 UTC