Chromium's support for CORS and UMP

Hi all,

A couple weeks back there was a question as to implementor support for
UMP and CORS, and that ended up launching a longish thread on the
chromium-dev mailing list [1].

Tyler Close has asked me to summarize the conclusions of that thread
here, so ...

1) CORS is already implemented and shipping in WebKit, so Chromium
supports CORS and will continue to do so for the foreseeable future.

2) We (the Chromium team) are curious as to what CORS is being used
for - we don't have a lot of real-world examples, and so we may end up
instrumenting the dev channels of Chromium to see if we can actually
figure this out [2].

3) UMP appears to be nearly a subset of CORS, and does have a lot of
nice properties for security and simplicity. We support UMP and would
like to see the syntax continue to be unified with CORS so that it is
in fact a subset (I believe this is already happening). We also
(mostly) support UMP being a separate spec so that web authors can
read it without being bogged down by the additional complexity CORS
offers. If there is a good editorial way to handle this in a single
spec, that would probably be fine.

3) We acknowledge that CORS can fall prey to confused-deputy style
attacks, although they can be mitigated, as Maciej demonstrated a few
months ago. However, it appears that there are certain use cases for
CORS that are safe that can be easily deployed, and it is unclear if a
UMP-style solution will be as easy to use for web authors.
Accordingly, we are reluctant to remove support for CORS altogether
until we can better answer (2). Assuming (2) shows that people are using
CORS, then, for compatibility reasons, we will not really be in a position to
disable it.


-- Dirk


[2] I am referring to the usage statistics we gather on an opt-in
basis, as documented here:

Received on Monday, 10 May 2010 23:35:03 UTC