Re: UMP / CORS: Implementor Interest from Tyler Close on 2010-05-12 (public-webapps@w3.org from April to June 2010)

From: Tyler Close <tyler.close@gmail.com>
Date: Wed, 12 May 2010 11:35:15 -0700
To: Ojan Vafai <ojan@chromium.org>
Cc: Ian Hickson <ian@hixie.ch>, Arthur Barstow <Art.Barstow@nokia.com>, ext Jonas Sicking <jonas@sicking.cc>, Anne van Kesteren <annevk@opera.com>, public-webapps <public-webapps@w3.org>, Adam Barth <w3c@adambarth.com>
Message-ID: <AANLkTimm9Ac1dL0SrR437dLhA6Dg5sqH_hq9CjrOkW0v@mail.gmail.com>

On Wed, May 12, 2010 at 11:21 AM, Ojan Vafai <ojan@chromium.org> wrote:
> On Wed, May 12, 2010 at 9:01 AM, Tyler Close <tyler.close@gmail.com> wrote:
>>
>> In the general case, including many common cases, doing this
>> validation is not feasible. The CORS specification should not be
>> allowed to proceed through standardization without providing
>> developers a robust solution to this problem.
>>
>> CORS is a new protocol and the WG has been made aware of the security
>> issue before applications have become widely dependent upon it. The WG
>> cannot responsibly proceed with CORS as is.
>
> Clearly there is a fundamental philosophical difference here. The end result
> is pretty clear:
> 1. Every implementor except Caja is implementing CORS and prefers a unified
> CORS/UMP spec.

IE does not currently implement the disputed sections of CORS. I don't
know what their plans are. Without IE support, the disputed sections
of CORS are not a viable option for developers.

Caja and similar technologies are unable to implement full CORS. It's
not just that they don't want to.

> 2. Some implementors are unwilling to implement a separate UMP spec.

So CORS normatively claims to implement UMP and uses its algorithmic
spec to show how.

> The same arguments have been hashed out multiple times. The above is not
> going to change by talking through them again.
> Blocking the CORS spec on principle is meaningless at this point. Even if
> the spec were not officially standardized. It's shipping in browsers. It's
> not going to be taken back.

Again, the disputed sections of CORS are not yet widely deployed (no
IE) and so are not yet widely adopted by developers.

> Realistically, UMP's only hope of actually getting wide adoption is if it's
> part of the CORS spec. Can you focus on improving CORS so that it addresses
> your concerns as much as realistically possible?

UMP has had that effect on CORS and I'll continue to pursue this. I
also want to see the bad stuff removed.

--Tyler

-- 
"Waterken News: Capability security on the Web"
http://waterken.sourceforge.net/recent.html

Received on Wednesday, 12 May 2010 18:35:48 UTC