- From: Kris Zyp <kris@sitepen.com>
- Date: Thu, 08 Apr 2010 09:28:55 -0600
- To: Maciej Stachowiak <mjs@apple.com>
- CC: marcosc@opera.com, "Mark S. Miller" <erights@google.com>, Anne van Kesteren <annevk@opera.com>, public-webapps <public-webapps@w3.org>, Tyler Close <tyler.close@gmail.com>
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 4/7/2010 9:50 PM, Maciej Stachowiak wrote: > > On Apr 7, 2010, at 3:01 PM, Marcos Caceres wrote: > >> >> >>>> Are there any >>>> vendors considering dropping support for CORS in favor of just >>>> supporting >>>> UMP? >> >> This question is quite relevant and I think deserves an answer. It >> gives the WG a real idea about concensus if there is buy-in to >> implement; though for comercial reasons some may not want to make >> support public. >> >> FWIW, I'm quite keen to review the draft (as I personally quite liked >> the earlier draft and was even about to start reviewing this morning) >> but am reluctant to do so because I'm not getting a sense of >> significant support. > > Here's what I can tell you about Apple's current thinking: > > - We are currently shipping support CORS via XMLHttpRequest in > Safari and WebKit. > - We do not plan to drop support for CORS. > - We do not plan to implement UMP directly from the UMP spec. > - If CORS gains a no-credentials subset, and XHR2 gained an API to > use that subset, we would likely implement that (no firm promises or > timelines though). > - If the CORS no-credentials subset ended up not matching UMP in > some detail, then our implementation would follow CORS, not UMP. > > The reason for this is that the style of the CORS spec will help us > understand where the if statements should go in our implementation. > We do not want to implement UMP as a completely separate code path; > we'd like it to be a mode of the code that already handles CORS. > > Thus, while we may end up implementing UMP by coincidence, our plans > will likely not be directly affected by the UMP spec, whether or not > it proceeds to Last Call, or the existence of a UMP test suite. (I'm > actually not sure how it is even possible to make a UMP test suite > without having a client API that does UMP processing.) - From the user & JS toolkit perspective, I am in favor of CORS, and appreciate Apple/Webkit's direction. UMP seems to profile HTTP too much to provide the type of RESTful interoperability we really need for cross-domain communication. I totally agree with the security philosophy of UMP expressed in http://www.w3.org/Security/wiki/Comparison_of_CORS_and_UMP, that authorization needs be explicit and ambient authority will lead to security breaches. However, UMP seems to presume too much about what headers (like cookies) designate authority, when such generalizations are not always true. At least to me, CORS seems to properly follow this security approach, allowing servers to use explicit authorization (permission tokens or other techniques) and designate and avoid requests that might hazardously permit ambient authority, while still balancing excellent support for HTTP-based communication, without forcing users to resort to various ugly hacks to emulate existing HTTP semantics. +1 for CORS. I am in favor of the "no-credentials" flag on XHR for the UMP subset of CORS as well, I think UMP definitely has value as a subset of CORS that can be opted into. Thanks, - -- Kris Zyp SitePen (503) 806-1841 http://sitepen.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAku99jcACgkQ9VpNnHc4zAx10wCgip505FRn/LNaVBNvj/KdRS1Y bqcAoIN31KfEUA3/RwkkzgZ0lPE0+bvG =RzGh -----END PGP SIGNATURE-----
Received on Thursday, 8 April 2010 15:31:50 UTC