W3C home > Mailing lists > Public > public-webapps@w3.org > January to March 2010

Re: [XHR2] AnonXMLHttpRequest()

From: Maciej Stachowiak <mjs@apple.com>
Date: Tue, 02 Feb 2010 17:14:36 -0800
Cc: Anne van Kesteren <annevk@opera.com>, WebApps WG <public-webapps@w3.org>
Message-id: <5D2895DF-33CC-4650-9D70-BF05B36EE691@apple.com>
To: Tyler Close <tyler.close@gmail.com>

On Feb 2, 2010, at 11:15 AM, Tyler Close wrote:

> On Sun, Jan 31, 2010 at 11:03 PM, Maciej Stachowiak <mjs@apple.com> wrote:
>> I'm curious what practical differences there are between CORS with the credentials flag
>> set to false and the origin set to "null", and UMP. Are there any?
> 
> The credentials flag in CORS is underspecified, so it's hard to answer
> this question.

Can you be more specific? What is underspecified about it? Sounds like something we should fix.

> 
> Since we've all noted that CORS and UMP take a different approach to
> the problem, I think it would be confusing to bundle them in a single
> spec. If CORS wants to be a superset of UMP, then I think it's best to
> write CORS as an extension of UMP, and so referencing UMP, rather than
> absorbing it. This specification layout would also make it easier to
> communicate the differences between an AnonXMLHttpRequest (or
> UniformRequest) and an XHR2; each would link to their corresponding
> spec document without needing to select only the relevant
> sub-sections.

CORS algorithms are parameterized, so API specs don't have to link to a specific section, just define the input parameters.

Does UMP have extension hooks sufficient to allow CORS to be written as a UMP extension as you suggest?

> Since UMP is also much smaller and simpler than CORS, I think it makes
> sense to push it through the standardization process at a faster pace
> than CORS. For example, I think it is reasonable to move UMP to Last
> Call as early as next month, or the even the end of this month.

I'm not sure this makes sense if we want to maintain the subset relation. And if we don't want to maintain the subset relation, then I would oppose advancing UMP at all.

> 
>> Note: in light of the above, I think AnonXMLHttpRequest would be almost the same as XDomainRequest, the only difference being that it would send "Origin: null" instead of the sender's actual Origin.
> 
> As the UMP spec notes, it is within the intersection of what has been
> commonly deployed across user-agents. I'm curious to learn Microsoft's
> assessment of UMP, since, as you note, it is very close to their own
> XDomainRequest.

Actually, it's not within the intersection, since it requires "Origin: null" rather than the actual Origin. No user agent currently has an API that generates UMP-conformant requests.

Regards,
Maciej
Received on Wednesday, 3 February 2010 01:15:11 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:36 GMT