Re: UMP / CORS: Implementor Interest

On Mon, Apr 19, 2010 at 12:43 AM, Anne van Kesteren <>wrote:

> Hopefully it helps calling out attention to this in a separate thread.
> In states Apple has no interest in implementing UMP from the UMP
> specification. (I believe this means that a CORS defined subset that roughly
> matches UMP is fine.) They want to retain their CORS support.
> For Opera I can say we are planning on supporting on CORS in due course and
> have no plans on implementing UMP from the UMP specification.
> It would be nice if the three other major implementors (i.e. Google,
> Mozilla, and Microsoft) also stated their interest for both specifications,
> especially including whether removing their current level of CORS support is
> considered an option.

Caja does plan to implement UMP and not CORS. Caja is a user agent built as
a virtual browser-in-browser, translating from the subset of future web
standards it accepts (e.g., a subset of ES5/strict) into the subset of
future web standards supported by current browsers (e.g., a subset of ES3).
Caja accepts not just JavaScript of course -- Caja parses a sanitized subset
of HTML HTML5's tag soup algorithm. Since Caja helps protect the Yahoo! home
page, in some quantitative sense it is a larger user agent than Safari,
Opera, or Chrome.

Caja intermediates the dereferencing of all URLs through a
container-supplied URL translation policy. Say cajoled code inlined on a
page running on site X makes a cross-origin request to a server addressed as
site Y. Caja does support all Yahoo! A-grade browsers including IE6. To
emulate the cross-origin request on IE6, obviously, our only choice is to
relay the request through the X server. Since the X server has no access to
the browser's cookies for site Y, obviously, we cannot emulate the CSRF
vulnerabilities of full CORS even if we wanted to. UniformRequests can be
faithfully relayed through intermediaries. Full CORS cannot. Thus,
UniformRequests have a better incremental transition story for software that
can be deployed today.

> --
> Anne van Kesteren


Received on Thursday, 22 April 2010 23:34:35 UTC