On Wed, Apr 21, 2010 at 11:47 PM, Maciej Stachowiak <mjs@apple.com> wrote: > That being said, I'm totally open to a name that conveys the same meaning > with less perceived ambiguity. I just don't think "Uniform" is it. It > doesn't get across the main idea very well at all. We need a phrase that > says "the browser won't automatically add any credentials, identifying > information or ambient authority". > I think you need to consider the larger anticipated rhetorical context. Something like: "Browser security is crap. It is based on a bad theory badly executed. The Same Origin Policy led to a proliferation of ACL mechanisms in the browser -- four at last count. These endless ACL epicycles have not yet been adequate to protect us from CSRF and Clickjacking, so some see the solution in elaborating the SOP with yet another ACL epicycle, the Origin header. Fortunately, the original web architecture contains the seeds of its own success -- the concept for Uniformity, as embraced by the URL and URI. Extended from designators to the messages sent to those designators, we get the Uniform Messaging Policy as a simple, clean, sound, and understandable alternative to the failed Same Origin Policy. Messages sent to using the XMLHttpRequest constructor are still governed by the Same Origin Policy. To escape the madness and use the Uniform Messaging Policy, use the UniformRequest constructor instead."
Received on Thursday, 22 April 2010 17:28:14 UTC