Re: [XHR2] AnonXMLHttpRequest()

On Sun, Jan 31, 2010 at 11:03 PM, Maciej Stachowiak <> wrote:
> I'm curious what practical differences there are between CORS with the credentials flag
> set to false and the origin set to "null", and UMP. Are there any?

The credentials flag in CORS is underspecified, so it's hard to answer
this question.

Since we've all noted that CORS and UMP take a different approach to
the problem, I think it would be confusing to bundle them in a single
spec. If CORS wants to be a superset of UMP, then I think it's best to
write CORS as an extension of UMP, and so referencing UMP, rather than
absorbing it. This specification layout would also make it easier to
communicate the differences between an AnonXMLHttpRequest (or
UniformRequest) and an XHR2; each would link to their corresponding
spec document without needing to select only the relevant

Since UMP is also much smaller and simpler than CORS, I think it makes
sense to push it through the standardization process at a faster pace
than CORS. For example, I think it is reasonable to move UMP to Last
Call as early as next month, or the even the end of this month.

> Note: in light of the above, I think AnonXMLHttpRequest would be almost the same as XDomainRequest, the only difference being that it would send "Origin: null" instead of the sender's actual Origin.

As the UMP spec notes, it is within the intersection of what has been
commonly deployed across user-agents. I'm curious to learn Microsoft's
assessment of UMP, since, as you note, it is very close to their own


"Waterken News: Capability security on the Web"

Received on Tuesday, 2 February 2010 19:15:57 UTC