Re: UMP / CORS: Implementor Interest

Firefox, Chrome and Caja have now all declared an interest in
implementing UMP. Opera and Safari have both declared an interest in
implementing the functionality defined in UMP under the name CORS. I
think it's clear that UMP has sufficient implementor interest to
proceed along the standardization path.

In the discussion on chromium-dev, Adam Barth wrote:

Putting these together, it looks like we want a separate UMP
specification for web developers and a combined CORS+UMP specification
for user agent implementors.  Consequently, I think it makes sense for
the working group to publish UMP separately from CORS but have all the
user agent conformance requirements in the combined CORS+UMP document.


I think this is a satisfactory compromise and conclusion to the
current debate. Anne, are you willing to adopt this strategy? If so, I
think there needs to be a normative statement in the CORS spec that
identifies the algorithms and corresponding inputs that implement UMP.

Before sending UMP to Last Call, we need a CORS and UMP agreement on
response header filtering. We need to reconcile the following two


Remaining subset issues around caching and credentials can be
addressed with editorial changes to CORS. I'll provide more detail in
a later email, assuming we've reached a compromise.


On Mon, Apr 19, 2010 at 12:43 AM, Anne van Kesteren <> wrote:
> Hopefully it helps calling out attention to this in a separate thread.
> In
> Maciej states Apple has no interest in implementing UMP from the UMP
> specification. (I believe this means that a CORS defined subset that roughly
> matches UMP is fine.) They want to retain their CORS support.
> For Opera I can say we are planning on supporting on CORS in due course and
> have no plans on implementing UMP from the UMP specification.
> It would be nice if the three other major implementors (i.e. Google,
> Mozilla, and Microsoft) also stated their interest for both specifications,
> especially including whether removing their current level of CORS support is
> considered an option.
> --
> Anne van Kesteren

"Waterken News: Capability security on the Web"

Received on Tuesday, 11 May 2010 17:49:31 UTC