Re: UMP / CORS: Implementor Interest

On Wed, Apr 21, 2010 at 11:47 PM, Maciej Stachowiak <mjs@apple.com> wrote:

> That being said, I'm totally open to a name that conveys the same meaning
> with less perceived ambiguity. I just don't think "Uniform" is it. It
> doesn't get across the main idea very well at all. We need a phrase that
> says "the browser won't automatically add any credentials, identifying
> information or ambient authority".
>


I think you need to consider the larger anticipated rhetorical context.
Something like:

"Browser security is crap. It is based on a bad theory badly executed. The
Same Origin Policy led to a proliferation of ACL mechanisms in the browser
-- four at last count. These endless ACL epicycles have not yet been
adequate to protect us from CSRF and Clickjacking, so some see the solution
in elaborating the SOP with yet another ACL epicycle, the Origin header.

Fortunately, the original web architecture contains the seeds of its own
success -- the concept for Uniformity, as embraced by the URL and URI.
Extended from designators to the messages sent to those designators, we get
the Uniform Messaging Policy as a simple, clean, sound, and understandable
alternative to the failed Same Origin Policy.

Messages sent to using the XMLHttpRequest constructor are still governed by
the Same Origin Policy. To escape the madness and use the Uniform Messaging
Policy, use the UniformRequest constructor instead."

Received on Thursday, 22 April 2010 17:28:14 UTC