W3C home > Mailing lists > Public > public-webapps@w3.org > January to March 2010

Re: [UMP] Server opt-in

From: Adam Barth <w3c@adambarth.com>
Date: Tue, 12 Jan 2010 14:44:04 -0800
Message-ID: <7789133a1001121444o52c33a8eo8bcea6208c3a71b8@mail.gmail.com>
To: Tyler Close <tyler.close@gmail.com>
Cc: public-webapps <public-webapps@w3.org>
On Tue, Jan 12, 2010 at 2:19 PM, Tyler Close <tyler.close@gmail.com> wrote:
> On Tue, Jan 12, 2010 at 12:54 PM, Adam Barth <abarth@webkit.org> wrote:
>> In the current draft of UMP, the client can opt-in to UMP by choosing
>> to use the UniformMessaging API, but the server is unable to force
>> clients to use UMP because the way the server opts into the protocol
>> is by returning the Access-Control-Allow-Origin header.
>> Unfortunately, when the server returns the Access-Control-Allow-Origin
>> header, the server also opts into the CORS and XDomainRequest
>> protocols.  The server operator might be reticent to opt into these
>> protocols if he or she is worried about ambient authority.
>> I recommend using a new header, like "Allow-Uniform-Messages: level-1"
>> so that servers can opt into UMP specifically.
> I believe all three protocols attach the same semantics to the
> "Access-Control-Allow-Origin: *" response header sent in response to a
> GET or POST request. Unless you know of a significant difference in
> the semantics, breaking compatibility seems unwarranted.

Let my phrase my question another way.  Suppose the following situation:

1) I'm a server operator and I want to provide a resource to other web sites.
2) I've been reading public-webapps and I'm concerned about the
ambient authority in CORS.

How can I share my resource with other web sites and enjoy the
security benefits of UMP?

Received on Tuesday, 12 January 2010 22:44:56 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:13:04 UTC