- From: Mark S. Miller <erights@google.com>
- Date: Tue, 12 Jan 2010 16:24:34 -0800
- To: Adam Barth <w3c@adambarth.com>
- Cc: public-webapps <public-webapps@w3.org>, Tyler Close <tyler.close@gmail.com>
- Message-ID: <4d2fac901001121624o18256f4exf4e97c2a11be3527@mail.gmail.com>
Hi Adam, I don't understand this at all. First, as the draft UMP already says, were it not for the need to be compatible with currently deployed browser behaviors, UMP would prefer a short header "U:" anyway, rather than the unfortunately long "Access-Control-Allow-Origin:*" in an incompressible position. Second, we are using the same header because it is the means, under CORS, XDR, and UMP, for the server to opt-out of same-origin protections. The server cannot force the client to not provide ambient authority information in any case. The most it can do is ignore such information. It is up to the client not to provide such information. It is the job of the standard to require the client not to provide it, and to inform server-side authors not to expect it. On Tue, Jan 12, 2010 at 12:58 PM, Adam Barth <w3c@adambarth.com> wrote: > [Resending from the correct address.] > > > In the current draft of UMP, the client can opt-in to UMP by choosing > > to use the UniformMessaging API, but the server is unable to force > > clients to use UMP because the way the server opts into the protocol > > is by returning the Access-Control-Allow-Origin header. > > Unfortunately, when the server returns the Access-Control-Allow-Origin > > header, the server also opts into the CORS and XDomainRequest > > protocols. The server operator might be reticent to opt into these > > protocols if he or she is worried about ambient authority. > > > > I recommend using a new header, like "Allow-Uniform-Messages: level-1" > > so that servers can opt into UMP specifically. > > > > Adam > > > > -- Cheers, --MarkM
Received on Wednesday, 13 January 2010 00:25:05 UTC