W3C home > Mailing lists > Public > public-webapps@w3.org > January to March 2010

[UMP] Feedback on UMP from a quick read

From: Adam Barth <w3c@adambarth.com>
Date: Fri, 8 Jan 2010 13:41:09 -0800
Message-ID: <7789133a1001081341v2f3d2157s358c245c495a2b55@mail.gmail.com>
To: Tyler Close <tyler.close@gmail.com>
Cc: public-webapps <public-webapps@w3.org>
[[
In particular, the user agent should not add the HTTP headers:
User-Agent, Accept, Accept-Language, Accept-Encoding, or
Accept-Charset
]]

This seems a bit overly constrictive.  Maybe we should send "Accept: */*", etc?

More generally, I suspect the requirements in Section 3.2 violate
various HTTP RFCs.  Maybe we should use the term "willful violation"
somewhere?

[[
If the response to a uniform request is an HTTP redirect, it is
handled as specified by [HTTP], whether or not the redirect is itself
a uniform response. If the redirect is not a uniform response, the
user-agent must still prevent the requesting content from accessing
the content of the redirect itself, though a response to a redirected
request might be accessible if it is a uniform response. If the
response to a uniform request is an HTTP redirect, any redirected
request must also be a uniform request.
]]

This seems looser than needed.  It would be better if the redirect had
to be a uniform response also.  There's a note in the spec "The HTML
<form> element can also follow any redirect, without restriction by
the Same Origin Policy", but the <form> element also sends Accept and
User-Agent headers.  What's the reason for excluding the headers but
not requiring redirects to be uniform responses?

What happens with Set-Cookie headers included in uniform responses?
It seems like we ought to ignore them based on the principle that UMP
requests are made from a state store / context that is completely
separate from the user agents normal state store / context.

Adam
Received on Friday, 8 January 2010 21:42:01 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:36 GMT