- From: Tyler Close <tyler.close@gmail.com>
- Date: Tue, 12 Jan 2010 14:19:44 -0800
- To: Adam Barth <abarth@webkit.org>
- Cc: public-webapps <public-webapps@w3.org>
I believe all three protocols attach the same semantics to the "Access-Control-Allow-Origin: *" response header sent in response to a GET or POST request. Unless you know of a significant difference in the semantics, breaking compatibility seems unwarranted. --Tyler On Tue, Jan 12, 2010 at 12:54 PM, Adam Barth <abarth@webkit.org> wrote: > In the current draft of UMP, the client can opt-in to UMP by choosing > to use the UniformMessaging API, but the server is unable to force > clients to use UMP because the way the server opts into the protocol > is by returning the Access-Control-Allow-Origin header. > Unfortunately, when the server returns the Access-Control-Allow-Origin > header, the server also opts into the CORS and XDomainRequest > protocols. The server operator might be reticent to opt into these > protocols if he or she is worried about ambient authority. > > I recommend using a new header, like "Allow-Uniform-Messages: level-1" > so that servers can opt into UMP specifically. > > Adam > -- "Waterken News: Capability security on the Web" http://waterken.sourceforge.net/recent.html
Received on Tuesday, 12 January 2010 22:20:17 UTC