Re: UMP / CORS: Implementor Interest from Tyler Close on 2010-04-20 (public-webapps@w3.org from April to June 2010)

From: Tyler Close <tyler.close@gmail.com>
Date: Tue, 20 Apr 2010 12:55:27 -0700
To: Maciej Stachowiak <mjs@apple.com>
Cc: Anne van Kesteren <annevk@opera.com>, Jonas Sicking <jonas@sicking.cc>, "public-webapps@w3.org" <public-webapps@w3.org>
Message-ID: <i2o5691356f1004201255tae0c2585j1f58360bd21f4d0@mail.gmail.com>

On Tue, Apr 20, 2010 at 11:39 AM, Maciej Stachowiak <mjs@apple.com> wrote:
>
> On Apr 20, 2010, at 9:27 AM, Tyler Close wrote:
>
>> On Mon, Apr 19, 2010 at 6:47 PM, Anne van Kesteren <annevk@opera.com>
>> wrote:
>>>
>>> On Tue, 20 Apr 2010 00:38:54 +0900, Jonas Sicking <jonas@sicking.cc>
>>> wrote:
>>>>
>>>> As I've said before. I'd be interested in implementing UMP in firefox
>>>> if we can come  up with a reasonable API for using it. I.e. a separate
>>>> constructor or flag or similar on XHR. This is assuming that UMP is a
>>>> reasonable subset of CORS.
>>>
>>> Have you looked at the proposal I put in XHR2? It sets certain flags in
>>> CORS
>>> that make it more or less the same as UMP.
>>
>> Why can't it be made exactly like UMP? All of the requirements in UMP
>> have been discussed at length and in great detail on this list by some
>> highly qualified people. The current UMP spec reflects all of that
>> discussion. By your own admission, the CORS spec has not received the
>> same level of review for these features. Why hasn't CORS adopted the
>> UMP solution?
>
> It should be made exactly like UMP, either by changing CORS, or changing
> UMP, or some combination of the two. A list of differences between UMP and
> CORS "anonymous mode" would be most helpful.

Some of these issues are listed at the top of:

http://lists.w3.org/Archives/Public/public-webapps/2010AprJun/0060.html

Many of the differences arise from CORS being silent about relevant
issues, such as caching or received cookies, so it's hard to know what
the CORS stand on these issues is. This part of the CORS spec is just
not well developed yet.

Since there are still major outstanding issues against other parts of
the CORS spec, I still think it's a better idea to move forward with
separate documents, where the CORS spec references the UMP spec for
its credential-free mode.

--Tyler

-- 
"Waterken News: Capability security on the Web"
http://waterken.sourceforge.net/recent.html

Received on Tuesday, 20 April 2010 19:56:02 UTC