- From: Maciej Stachowiak <mjs@apple.com>
- Date: Sun, 31 Jan 2010 23:03:03 -0800
- To: Anne van Kesteren <annevk@opera.com>
- Cc: WebApps WG <public-webapps@w3.org>
On Jan 31, 2010, at 1:50 PM, Anne van Kesteren wrote: > I'm not really convinced we need all of > > http://dev.w3.org/2006/waf/UMP/ > > to handle the simple use case it is for. I think UMP can be layered on top of CORS by simply letting the origin be a unique identifier and always have the credentials flag be false. Why a unique identifier instead of "Origin: null"? > A new constructor could be used for XMLHttpRequest -- maybe called AnonXMLHttpRequest() -- to enable this behavior. Or it could be a constructor parameter or some attributes that you set, though that would be a bit more work for object-capability subsets. > > Since most people in the WG seem to think we should have both UMP and CORS this solution seems much more straightforward and practical. > > Thoughts? I'm curious what practical differences there are between CORS with the credentials flag set to false and the origin set to "null", and UMP. Are there any? Right now UMP doesn't support preflights, so we'd need to either add a "no preflight requests" flag, or ensure that AnonXMLHttpRequest cannot send any requests which would result in preflight. Note: in light of the above, I think AnonXMLHttpRequest would be almost the same as XDomainRequest, the only difference being that it would send "Origin: null" instead of the sender's actual Origin. Regards, Maciej
Received on Monday, 1 February 2010 07:03:37 UTC