Re: UMP / CORS: Implementor Interest

On Wed, May 12, 2010 at 11:35 AM, Tyler Close <tyler.close@gmail.com> wrote:
> On Wed, May 12, 2010 at 11:21 AM, Ojan Vafai <ojan@chromium.org> wrote:
>> On Wed, May 12, 2010 at 9:01 AM, Tyler Close <tyler.close@gmail.com> wrote:
>>>
>>> In the general case, including many common cases, doing this
>>> validation is not feasible. The CORS specification should not be
>>> allowed to proceed through standardization without providing
>>> developers a robust solution to this problem.
>>>
>>> CORS is a new protocol and the WG has been made aware of the security
>>> issue before applications have become widely dependent upon it. The WG
>>> cannot responsibly proceed with CORS as is.
>>
>> Clearly there is a fundamental philosophical difference here. The end result
>> is pretty clear:
>> 1. Every implementor except Caja is implementing CORS and prefers a unified
>> CORS/UMP spec.
>
> IE does not currently implement the disputed sections of CORS. I don't
> know what their plans are. Without IE support, the disputed sections
> of CORS are not a viable option for developers.

Really? As far as I know IE sends the "Origin" header which as I
understood it was a major source of the confused deputy problem and a
big reason for drafting the UMP spec?

>> Realistically, UMP's only hope of actually getting wide adoption is if it's
>> part of the CORS spec. Can you focus on improving CORS so that it addresses
>> your concerns as much as realistically possible?
>
> UMP has had that effect on CORS and I'll continue to pursue this. I
> also want to see the bad stuff removed.

If so, I'd really like to see the chairs move forward with making the
WG make some sort of formal decision on weather CORS should be
published or not. Repeating the same discussion over and over is not
good use your time or mine.

/ Jonas

Received on Wednesday, 12 May 2010 18:43:52 UTC