Re: CORS versus Uniform Messaging?

On Thu, Dec 10, 2009 at 10:53 AM, Arthur Barstow <Art.Barstow@nokia.com> wrote:
> CORS and Uniform Messaging People,
>
> We are now just a few weeks away from the February 2006 start of what has
> now become the CORS spec. In those four years, the model has been
> significantly improved, Microsoft deployed XDR, we now have the Uniform
> Messaging counter-proposal. Meanwhile, the industry doesn't have an agreed
> standard to address the important use cases.
>
> Although we are following the Darwinian model of competing specs with Web
> SQL Database and Indexed Database API, I believe I'm not alone in thinking
> competing specs in the CORS and UM space is not desirable and perhaps even
> harmful.
>
> Ideally, the group would agree on a single model and this could be achieved
> by converging CORS + UM, abandoning one model in deference to the other,
> etc.
>
> Can we all rally behind a single model?

I'm not sure that we want to. My impression is that both models have
their advantages and risks. They basically implement two different
security design philosophies, and I'm not confident that there is a
winner, or that we can correctly pick one.

CORS seems easier in the simpler cases when no website acts as a
deputy. UM seems less likely to cause confused deputy problems when a
website acts as a deputy and receives urls from third parties (either
by fetching them over the network, or by having third party code
running in their domain using something like caja).

/ Jonas

Received on Thursday, 10 December 2009 20:05:57 UTC