- From: Tyler Close <tyler.close@gmail.com>
- Date: Tue, 11 May 2010 11:17:17 -0700
- To: Anne van Kesteren <annevk@opera.com>
- Cc: "public-webapps@w3.org" <public-webapps@w3.org>, Adam Barth <w3c@adambarth.com>, Arthur Barstow <Art.Barstow@nokia.com>
On Tue, May 11, 2010 at 10:54 AM, Anne van Kesteren <annevk@opera.com> wrote: > On Tue, 11 May 2010 19:48:57 +0200, Tyler Close <tyler.close@gmail.com> > wrote: >> >> Firefox, Chrome and Caja have now all declared an interest in >> implementing UMP. Opera and Safari have both declared an interest in >> implementing the functionality defined in UMP under the name CORS. I >> think it's clear that UMP has sufficient implementor interest to >> proceed along the standardization path. >> >> In the discussion on chromium-dev, Adam Barth wrote: >> >> """ >> Putting these together, it looks like we want a separate UMP >> specification for web developers and a combined CORS+UMP specification >> for user agent implementors. Consequently, I think it makes sense for >> the working group to publish UMP separately from CORS but have all the >> user agent conformance requirements in the combined CORS+UMP document. >> """ >> >> See: >> >> >> http://groups.google.com/a/chromium.org/group/chromium-dev/msg/4793e08f8ec98914?hl=en_US >> >> I think this is a satisfactory compromise and conclusion to the >> current debate. Anne, are you willing to adopt this strategy? If so, I >> think there needs to be a normative statement in the CORS spec that >> identifies the algorithms and corresponding inputs that implement UMP. > > I don't understand. As far as I can tell Adam suggests making UMP an > authoring guide. I read Adam as saying the UMP specification should be published. The words "authoring guide" don't appear. I believe his reference to a benefit for web developers refers to an opinion expressed earlier in the thread that the UMP specification is more easily understood by web developers. > Why would CORS need to normatively depend on it? For developers to be able to rely on the normative statements made in UMP when using a CORS implementation, CORS must normatively claim to be implementing UMP. >> Before sending UMP to Last Call, we need a CORS and UMP agreement on >> response header filtering. We need to reconcile the following two >> sections: >> >> >> http://dev.w3.org/2006/waf/access-control/#handling-a-response-to-a-cross-origin-re >> >> and >> >> http://dev.w3.org/2006/waf/UMP/#response-header-filtering >> >> Remaining subset issues around caching and credentials can be >> addressed with editorial changes to CORS. I'll provide more detail in >> a later email, assuming we've reached a compromise. > > I think we first need to figure out whether we want to rename headers or > not, before any draft goes to Last Call, especially if UMP wants to remain a > subset of some sorts. AFAICT, your renaming proposal does not cover this section of CORS. I think the two efforts can proceed in parallel. I look forward to your feedback on this topic. --Tyler -- "Waterken News: Capability security on the Web" http://waterken.sourceforge.net/recent.html
Received on Tuesday, 11 May 2010 18:17:53 UTC