Re: CORS versus Uniform Messaging?

On Thu, Dec 10, 2009 at 10:53 AM, Arthur Barstow <Art.Barstow@nokia.com>wrote:

> CORS and Uniform Messaging People,
>
> We are now just a few weeks away from the February 2006 start of what has
> now become the CORS spec. In those four years, the model has been
> significantly improved, Microsoft deployed XDR, we now have the Uniform
> Messaging counter-proposal. Meanwhile, the industry doesn't have an agreed
> standard to address the important use cases.
>
> Although we are following the Darwinian model of competing specs with Web
> SQL Database and Indexed Database API, I believe I'm not alone in thinking
> competing specs in the CORS and UM space is not desirable and perhaps even
> harmful.
>
> Ideally, the group would agree on a single model and this could be achieved
> by converging CORS + UM, abandoning one model in deference to the other,
> etc.
>
> Can we all rally behind a single model?
>
>
Yes, I believe we can. That's why we designed UM Level 1 (hereafter UM1) so
that UM1-compliant server-side behavior would be compatible both with
UM1-compliant browsers and with the XDR or CORS approximations in the latest
deployments of all the major browsers. If we were not designing UM1 to be
such a rallying point, we would have gone with the compact "U:" header
mentioned in our note, rather than the unfortunately verbose,
incompressible, but compatible "Access-Control-Allow-Origin: *"  header.

UM1 avoids the security flaws of CORS while operating in the intersection of
existing deployments and proposals.

As for extending beyond level 1 into the issues potentially requiring
pre-flight and outside the intersection with XDR, I continue to think this
should wait till we have agreement on what SOP guarantees server side
app/resource authors may count on, which new protocol proposals are thereby
obligated to uphold. For example, must we really POSTs from conveying
alternate mime types in the absence of a preflight? If we must, then fine.
But if we mustn't, then let's not. For example, if a preflight-less request
could POST with application/jsonrequest, then UM1 would be close to
subsuming JSONRequest.

But if the lack of a preflight-based level 2 is the issue blocking rallying
on UM, we could propose a level 2 before an agreement on what SOP guarantees
must be upheld.



> -Art Barstow
>
>
> On Dec 4, 2009, at 1:30 PM, ext Mark S. Miller wrote:
>
>  We intend that Uniform Messaging be adopted instead of CORS. We intend
>> that those APIs that were expected to utilize CORS (SSE, XBL) instead
>> utilize Uniform Messaging. As for XHR2, we intend to propose a similar
>> UniformRequest that utilizes Uniform Messaging.
>>
>> We intend the current proposal, Uniform Messaging Level One, as an
>> alternative to the pre-flight-less subset of CORS. As for the
>> remaining Level Two issues gated on pre-flight, perhaps these are best
>> addressed after we settle the SOP restrictions that server-side app
>> authors may count on, which therefore protocols such as CORS and
>> Uniform Messaging must uphold.
>>
>>
>> On Fri, Dec 4, 2009 at 10:04 AM, Arthur Barstow <art.barstow@nokia.com>
>> wrote:
>>
>>> Mark, Tyler,
>>>
>>> On Nov 23, 2009, at 12:33 PM, ext Tyler Close wrote:
>>>
>>>  I made some minor edits and formatting improvements to the document
>>>> sent out on Friday. The new version is attached. If you read the prior
>>>> version, there's no need to review the new one. If you're just getting
>>>> started, use the attached copy.
>>>>
>>>
>>> Would you please clarify your intent with your Uniform Messaging proposal
>>> vis-à-vis CORS and your expectation(s) from the Working Group?
>>>
>>> -Art Barstow
>>>
>>
>
>


-- 
   Cheers,
   --MarkM