Re: CORS Last Call status/plans? [Was: Re: [UMP] Request for Last Call]

On Wed, 07 Apr 2010 16:06:55 +0200, Arthur Barstow <>  
> What is the status and plan to get CORS ready for Last Call?

I've mostly been waiting to see what happens with UMP. What I've heard so  
far from various implementors is that they want to keep CORS and add the  
ability to XMLHttpRequest for credential-less requests via the  
constructor. But I might be missing something.

> I see the following related "Raised" Issues:
>   Reduce the length of the header names?

This is not possible I think. SPDY or some such should be of help here.  
Anyway, it is still open because mnot wanted some kind of official WG  

>   Exposing more (~infinite) response headers

I've been trying to find out which solution implementors prefer, but  
without much luck so far.

>   confused deputy problem

We discussed this to death.

>   CORS does not define the effect of the credentials flag in sufficient  
> detail

I defined this.

> And the latest ED includes 3 "red block" Issues.

They all indicate the need for other specifications to move forward. URL,  
HTTP, and whatever specification ends up defining origin. I.e. editorial  
and should in theory not block progress.

Anne van Kesteren

Received on Wednesday, 7 April 2010 14:23:04 UTC