Re: UMP / CORS: Implementor Interest

On Tue, May 11, 2010 at 10:54 AM, Anne van Kesteren <> wrote:
> On Tue, 11 May 2010 19:48:57 +0200, Tyler Close <>
> wrote:
>> Firefox, Chrome and Caja have now all declared an interest in
>> implementing UMP. Opera and Safari have both declared an interest in
>> implementing the functionality defined in UMP under the name CORS. I
>> think it's clear that UMP has sufficient implementor interest to
>> proceed along the standardization path.
>> In the discussion on chromium-dev, Adam Barth wrote:
>> """
>> Putting these together, it looks like we want a separate UMP
>> specification for web developers and a combined CORS+UMP specification
>> for user agent implementors.  Consequently, I think it makes sense for
>> the working group to publish UMP separately from CORS but have all the
>> user agent conformance requirements in the combined CORS+UMP document.
>> """
>> See:
>> I think this is a satisfactory compromise and conclusion to the
>> current debate. Anne, are you willing to adopt this strategy? If so, I
>> think there needs to be a normative statement in the CORS spec that
>> identifies the algorithms and corresponding inputs that implement UMP.
> I don't understand. As far as I can tell Adam suggests making UMP an
> authoring guide.

I read Adam as saying the UMP specification should be published. The
words "authoring guide" don't appear. I believe his reference to a
benefit for web developers refers to an opinion expressed earlier in
the thread that the UMP specification is more easily understood by web

> Why would CORS need to normatively depend on it?

For developers to be able to rely on the normative statements made in
UMP when using a CORS implementation,  CORS must normatively claim to
be implementing UMP.

>> Before sending UMP to Last Call, we need a CORS and UMP agreement on
>> response header filtering. We need to reconcile the following two
>> sections:
>> and
>> Remaining subset issues around caching and credentials can be
>> addressed with editorial changes to CORS. I'll provide more detail in
>> a later email, assuming we've reached a compromise.
> I think we first need to figure out whether we want to rename headers or
> not, before any draft goes to Last Call, especially if UMP wants to remain a
> subset of some sorts.

AFAICT, your renaming proposal does not cover this section of CORS. I
think the two efforts can proceed in parallel. I look forward to your
feedback on this topic.


"Waterken News: Capability security on the Web"

Received on Tuesday, 11 May 2010 18:17:53 UTC