- From: Tyler Close <tyler.close@gmail.com>
- Date: Tue, 12 Jan 2010 14:47:39 -0800
- To: Adam Barth <w3c@adambarth.com>
- Cc: public-webapps <public-webapps@w3.org>
On Tue, Jan 12, 2010 at 2:44 PM, Adam Barth <w3c@adambarth.com> wrote: > On Tue, Jan 12, 2010 at 2:19 PM, Tyler Close <tyler.close@gmail.com> wrote: >> On Tue, Jan 12, 2010 at 12:54 PM, Adam Barth <abarth@webkit.org> wrote: >>> In the current draft of UMP, the client can opt-in to UMP by choosing >>> to use the UniformMessaging API, but the server is unable to force >>> clients to use UMP because the way the server opts into the protocol >>> is by returning the Access-Control-Allow-Origin header. >>> Unfortunately, when the server returns the Access-Control-Allow-Origin >>> header, the server also opts into the CORS and XDomainRequest >>> protocols. The server operator might be reticent to opt into these >>> protocols if he or she is worried about ambient authority. >>> >>> I recommend using a new header, like "Allow-Uniform-Messages: level-1" >>> so that servers can opt into UMP specifically. >> >> I believe all three protocols attach the same semantics to the >> "Access-Control-Allow-Origin: *" response header sent in response to a >> GET or POST request. Unless you know of a significant difference in >> the semantics, breaking compatibility seems unwarranted. > > Let my phrase my question another way. Suppose the following situation: > > 1) I'm a server operator and I want to provide a resource to other web sites. > 2) I've been reading public-webapps and I'm concerned about the > ambient authority in CORS. > > How can I share my resource with other web sites and enjoy the > security benefits of UMP? Follow the advice given in the "Security Considerations" section of the UMP spec: http://dev.w3.org/2006/waf/UMP/#security --Tyler -- "Waterken News: Capability security on the Web" http://waterken.sourceforge.net/recent.html
Received on Tuesday, 12 January 2010 22:48:13 UTC