Re: [UMP] Server opt-in

Hi Adam, I don't understand this at all. First, as the draft UMP already
says, were it not for the need to be compatible with currently deployed
browser behaviors, UMP would prefer a short header "U:" anyway, rather than
the unfortunately long "Access-Control-Allow-Origin:*" in
an incompressible position.

Second, we are using the same header because it is the means, under CORS,
XDR, and UMP, for the server to opt-out of same-origin protections. The
server cannot force the client to not provide ambient authority information
in any case. The most it can do is ignore such information. It is up to the
client not to provide such information. It is the job of the standard to
require the client not to provide it, and to inform server-side authors not
to expect it.

On Tue, Jan 12, 2010 at 12:58 PM, Adam Barth <> wrote:

> [Resending from the correct address.]
> > In the current draft of UMP, the client can opt-in to UMP by choosing
> > to use the UniformMessaging API, but the server is unable to force
> > clients to use UMP because the way the server opts into the protocol
> > is by returning the Access-Control-Allow-Origin header.
> > Unfortunately, when the server returns the Access-Control-Allow-Origin
> > header, the server also opts into the CORS and XDomainRequest
> > protocols.  The server operator might be reticent to opt into these
> > protocols if he or she is worried about ambient authority.
> >
> > I recommend using a new header, like "Allow-Uniform-Messages: level-1"
> > so that servers can opt into UMP specifically.
> >
> > Adam
> >


Received on Wednesday, 13 January 2010 00:25:05 UTC