- From: Tyler Close <tyler.close@gmail.com>
- Date: Tue, 2 Feb 2010 11:15:24 -0800
- To: Maciej Stachowiak <mjs@apple.com>
- Cc: Anne van Kesteren <annevk@opera.com>, WebApps WG <public-webapps@w3.org>
On Sun, Jan 31, 2010 at 11:03 PM, Maciej Stachowiak <mjs@apple.com> wrote: > I'm curious what practical differences there are between CORS with the credentials flag > set to false and the origin set to "null", and UMP. Are there any? The credentials flag in CORS is underspecified, so it's hard to answer this question. Since we've all noted that CORS and UMP take a different approach to the problem, I think it would be confusing to bundle them in a single spec. If CORS wants to be a superset of UMP, then I think it's best to write CORS as an extension of UMP, and so referencing UMP, rather than absorbing it. This specification layout would also make it easier to communicate the differences between an AnonXMLHttpRequest (or UniformRequest) and an XHR2; each would link to their corresponding spec document without needing to select only the relevant sub-sections. Since UMP is also much smaller and simpler than CORS, I think it makes sense to push it through the standardization process at a faster pace than CORS. For example, I think it is reasonable to move UMP to Last Call as early as next month, or the even the end of this month. > Note: in light of the above, I think AnonXMLHttpRequest would be almost the same as XDomainRequest, the only difference being that it would send "Origin: null" instead of the sender's actual Origin. As the UMP spec notes, it is within the intersection of what has been commonly deployed across user-agents. I'm curious to learn Microsoft's assessment of UMP, since, as you note, it is very close to their own XDomainRequest. --Tyler -- "Waterken News: Capability security on the Web" http://waterken.sourceforge.net/recent.html
Received on Tuesday, 2 February 2010 19:15:57 UTC