Re: [UMP] Subsetting (was: [XHR2] AnonXMLHttpRequest()) from Tyler Close on 2010-04-13 (public-webapps@w3.org from April to June 2010)

From: Tyler Close <tyler.close@gmail.com>
Date: Tue, 13 Apr 2010 10:46:40 -0700
To: Jonas Sicking <jonas@sicking.cc>
Cc: Maciej Stachowiak <mjs@apple.com>, Arthur Barstow <art.barstow@nokia.com>, Anne van Kesteren <annevk@opera.com>, public-webapps <public-webapps@w3.org>
Message-ID: <u2z5691356f1004131046m5af378d2i7b03b86bde34c69a@mail.gmail.com>

On Tue, Apr 13, 2010 at 10:17 AM, Jonas Sicking <jonas@sicking.cc> wrote:
> On Mon, Apr 12, 2010 at 5:28 PM, Jonas Sicking <jonas@sicking.cc> wrote:
>> I wouldn't be opposed to implementing UMP, as long as there's a decent
>> API for invoking it, and that it's a good subset relative to CORS. I
>> think we've talked about various constructors or flags that let you
>> use the XHR API together with the UMP protocol.

I'm less concerned with the actual syntax, so please propose your
preferred choice. I just want something easy to use with the right
semantics.

> Oh, I should mention one concern that I have with UMP though. The spec
> seems to explicitly forbid sending the 'Referer' header [1]. I
> understand the purpose of this as the Referer header can be
> interpreted as ambient authentication.
>
> However a problem is that I think many sites rely on this header for
> things other than authentication. Such as measuring load from various
> 3rd parties, measuring who loads data in order to provide back links,
> etc. This is done for public data as much as for private.
>
> I don't have a solution to propose. Nor do I at this time think that
> this is a blocker issue. However I wouldn't be surprised if sites will
> not want to deploy UMP because of this.

There are a number of click tracking techniques that use unique URLs,
instead of the Referer header. In many cases, these techniques are
more reliable since some firewalls drop the Referer header and caching
proxies can prevent requests from reaching the hosting server at all.
I'm hopeful these techniques will support traffic analysis of public
data offered via UMP, without the security hazards created by the
Referer header.

> [1] Section 3.2, Sending a Uniform Request, says: "MUST NOT add any
> information obtained from ... or the referring resource". For what
> it's worth, I think this could be made more clear.

Thanks, I'll attempt a different phrasing.

Thanks for the feedback.

--Tyler

-- 
"Waterken News: Capability security on the Web"
http://waterken.sourceforge.net/recent.html

Received on Tuesday, 13 April 2010 17:47:14 UTC