Re: [UMP] Server opt-in

I believe all three protocols attach the same semantics to the
"Access-Control-Allow-Origin: *" response header sent in response to a
GET or POST request. Unless you know of a significant difference in
the semantics, breaking compatibility seems unwarranted.


On Tue, Jan 12, 2010 at 12:54 PM, Adam Barth <> wrote:
> In the current draft of UMP, the client can opt-in to UMP by choosing
> to use the UniformMessaging API, but the server is unable to force
> clients to use UMP because the way the server opts into the protocol
> is by returning the Access-Control-Allow-Origin header.
> Unfortunately, when the server returns the Access-Control-Allow-Origin
> header, the server also opts into the CORS and XDomainRequest
> protocols.  The server operator might be reticent to opt into these
> protocols if he or she is worried about ambient authority.
> I recommend using a new header, like "Allow-Uniform-Messages: level-1"
> so that servers can opt into UMP specifically.
> Adam

"Waterken News: Capability security on the Web"

Received on Tuesday, 12 January 2010 22:20:17 UTC