Re: UMP / CORS: Implementor Interest

On Tue, May 11, 2010 at 10:54 AM, Anne van Kesteren <annevk@opera.com> wrote:
> On Tue, 11 May 2010 19:48:57 +0200, Tyler Close <tyler.close@gmail.com>
> wrote:
>>
>> Firefox, Chrome and Caja have now all declared an interest in
>> implementing UMP. Opera and Safari have both declared an interest in
>> implementing the functionality defined in UMP under the name CORS. I
>> think it's clear that UMP has sufficient implementor interest to
>> proceed along the standardization path.
>>
>> In the discussion on chromium-dev, Adam Barth wrote:
>>
>> """
>> Putting these together, it looks like we want a separate UMP
>> specification for web developers and a combined CORS+UMP specification
>> for user agent implementors.  Consequently, I think it makes sense for
>> the working group to publish UMP separately from CORS but have all the
>> user agent conformance requirements in the combined CORS+UMP document.
>> """
>>
>> See:
>>
>>
>> http://groups.google.com/a/chromium.org/group/chromium-dev/msg/4793e08f8ec98914?hl=en_US
>>
>> I think this is a satisfactory compromise and conclusion to the
>> current debate. Anne, are you willing to adopt this strategy? If so, I
>> think there needs to be a normative statement in the CORS spec that
>> identifies the algorithms and corresponding inputs that implement UMP.
>
> I don't understand. As far as I can tell Adam suggests making UMP an
> authoring guide.

I read Adam as saying the UMP specification should be published. The
words "authoring guide" don't appear. I believe his reference to a
benefit for web developers refers to an opinion expressed earlier in
the thread that the UMP specification is more easily understood by web
developers.

> Why would CORS need to normatively depend on it?

For developers to be able to rely on the normative statements made in
UMP when using a CORS implementation,  CORS must normatively claim to
be implementing UMP.

>> Before sending UMP to Last Call, we need a CORS and UMP agreement on
>> response header filtering. We need to reconcile the following two
>> sections:
>>
>>
>> http://dev.w3.org/2006/waf/access-control/#handling-a-response-to-a-cross-origin-re
>>
>> and
>>
>> http://dev.w3.org/2006/waf/UMP/#response-header-filtering
>>
>> Remaining subset issues around caching and credentials can be
>> addressed with editorial changes to CORS. I'll provide more detail in
>> a later email, assuming we've reached a compromise.
>
> I think we first need to figure out whether we want to rename headers or
> not, before any draft goes to Last Call, especially if UMP wants to remain a
> subset of some sorts.

AFAICT, your renaming proposal does not cover this section of CORS. I
think the two efforts can proceed in parallel. I look forward to your
feedback on this topic.

--Tyler

-- 
"Waterken News: Capability security on the Web"
http://waterken.sourceforge.net/recent.html

Received on Tuesday, 11 May 2010 18:17:53 UTC