W3C home > Mailing lists > Public > public-webapps@w3.org > April to June 2010

Re: UMP / CORS: Implementor Interest

From: Tyler Close <tyler.close@gmail.com>
Date: Tue, 11 May 2010 11:17:17 -0700
Message-ID: <AANLkTiljM0rJuQ7sEOqObiDBighleIcj5yBSlv-nuB5t@mail.gmail.com>
To: Anne van Kesteren <annevk@opera.com>
Cc: "public-webapps@w3.org" <public-webapps@w3.org>, Adam Barth <w3c@adambarth.com>, Arthur Barstow <Art.Barstow@nokia.com>
On Tue, May 11, 2010 at 10:54 AM, Anne van Kesteren <annevk@opera.com> wrote:
> On Tue, 11 May 2010 19:48:57 +0200, Tyler Close <tyler.close@gmail.com>
> wrote:
>> Firefox, Chrome and Caja have now all declared an interest in
>> implementing UMP. Opera and Safari have both declared an interest in
>> implementing the functionality defined in UMP under the name CORS. I
>> think it's clear that UMP has sufficient implementor interest to
>> proceed along the standardization path.
>> In the discussion on chromium-dev, Adam Barth wrote:
>> """
>> Putting these together, it looks like we want a separate UMP
>> specification for web developers and a combined CORS+UMP specification
>> for user agent implementors.  Consequently, I think it makes sense for
>> the working group to publish UMP separately from CORS but have all the
>> user agent conformance requirements in the combined CORS+UMP document.
>> """
>> See:
>> http://groups.google.com/a/chromium.org/group/chromium-dev/msg/4793e08f8ec98914?hl=en_US
>> I think this is a satisfactory compromise and conclusion to the
>> current debate. Anne, are you willing to adopt this strategy? If so, I
>> think there needs to be a normative statement in the CORS spec that
>> identifies the algorithms and corresponding inputs that implement UMP.
> I don't understand. As far as I can tell Adam suggests making UMP an
> authoring guide.

I read Adam as saying the UMP specification should be published. The
words "authoring guide" don't appear. I believe his reference to a
benefit for web developers refers to an opinion expressed earlier in
the thread that the UMP specification is more easily understood by web

> Why would CORS need to normatively depend on it?

For developers to be able to rely on the normative statements made in
UMP when using a CORS implementation,  CORS must normatively claim to
be implementing UMP.

>> Before sending UMP to Last Call, we need a CORS and UMP agreement on
>> response header filtering. We need to reconcile the following two
>> sections:
>> http://dev.w3.org/2006/waf/access-control/#handling-a-response-to-a-cross-origin-re
>> and
>> http://dev.w3.org/2006/waf/UMP/#response-header-filtering
>> Remaining subset issues around caching and credentials can be
>> addressed with editorial changes to CORS. I'll provide more detail in
>> a later email, assuming we've reached a compromise.
> I think we first need to figure out whether we want to rename headers or
> not, before any draft goes to Last Call, especially if UMP wants to remain a
> subset of some sorts.

AFAICT, your renaming proposal does not cover this section of CORS. I
think the two efforts can proceed in parallel. I look forward to your
feedback on this topic.


"Waterken News: Capability security on the Web"
Received on Tuesday, 11 May 2010 18:17:53 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:13:07 UTC