[UMP] Feedback on UMP from a quick read

In particular, the user agent should not add the HTTP headers:
User-Agent, Accept, Accept-Language, Accept-Encoding, or

This seems a bit overly constrictive.  Maybe we should send "Accept: */*", etc?

More generally, I suspect the requirements in Section 3.2 violate
various HTTP RFCs.  Maybe we should use the term "willful violation"

If the response to a uniform request is an HTTP redirect, it is
handled as specified by [HTTP], whether or not the redirect is itself
a uniform response. If the redirect is not a uniform response, the
user-agent must still prevent the requesting content from accessing
the content of the redirect itself, though a response to a redirected
request might be accessible if it is a uniform response. If the
response to a uniform request is an HTTP redirect, any redirected
request must also be a uniform request.

This seems looser than needed.  It would be better if the redirect had
to be a uniform response also.  There's a note in the spec "The HTML
<form> element can also follow any redirect, without restriction by
the Same Origin Policy", but the <form> element also sends Accept and
User-Agent headers.  What's the reason for excluding the headers but
not requiring redirects to be uniform responses?

What happens with Set-Cookie headers included in uniform responses?
It seems like we ought to ignore them based on the principle that UMP
requests are made from a state store / context that is completely
separate from the user agents normal state store / context.


Received on Friday, 8 January 2010 21:42:01 UTC