Re: UMP / CORS: Implementor Interest from Ojan Vafai on 2010-05-12 (public-webapps@w3.org from April to June 2010)

From: Ojan Vafai <ojan@chromium.org>
Date: Wed, 12 May 2010 11:21:43 -0700
To: Tyler Close <tyler.close@gmail.com>
Cc: Ian Hickson <ian@hixie.ch>, Arthur Barstow <Art.Barstow@nokia.com>, ext Jonas Sicking <jonas@sicking.cc>, Anne van Kesteren <annevk@opera.com>, public-webapps <public-webapps@w3.org>, Adam Barth <w3c@adambarth.com>
Message-ID: <u2r78dc8441005121121sfdbe8583webf8d08e29c9bc31@mail.gmail.com>

On Wed, May 12, 2010 at 9:01 AM, Tyler Close <tyler.close@gmail.com> wrote:

> In the general case, including many common cases, doing this
> validation is not feasible. The CORS specification should not be
> allowed to proceed through standardization without providing
> developers a robust solution to this problem.
>
> CORS is a new protocol and the WG has been made aware of the security
> issue before applications have become widely dependent upon it. The WG
> cannot responsibly proceed with CORS as is.

Clearly there is a fundamental philosophical difference here. The end result
is pretty clear:
1. Every implementor except Caja is implementing CORS and prefers a unified
CORS/UMP spec.
2. Some implementors are unwilling to implement a separate UMP spec.

The same arguments have been hashed out multiple times. The above is not
going to change by talking through them again.

Blocking the CORS spec on principle is meaningless at this point. Even if
the spec were not officially standardized. It's shipping in browsers. It's
not going to be taken back.

Realistically, UMP's only hope of actually getting wide adoption is if it's
part of the CORS spec. Can you focus on improving CORS so that it addresses
your concerns as much as realistically possible?

Ojan

Received on Wednesday, 12 May 2010 18:22:37 UTC