Hi Maciej and Tyler,
IMO, the important subsetting points, in priority order, are:
1) Server-side behavior compatible with UMP is automatically compatible with
CORS and with present CORS-like browser behaviors.
2) The client-side mechanisms one needs to implement UMP correctly are a
small subset of the mechanisms one needs to implement CORS. Having made the
investment in implementing CORS-like mechanisms, no significant further
internal mechanism is needed to implement UMP. (Indeed, I wouldn't be
surprised if one could derive an UMP implementation from a CORS
implementation mostly by commenting out code.)
3) Given other proposals already on the table -- CORS and unique-origin
iframes -- one could build the proposed xhr-like UniformRequest API as a
library on top. Though these requests would include an unneeded "Origin:
null" header, such a header is not a credential and so would not violate any
MUST in UMP. The messages would still be Uniform.
I think this thread has focussed exclusively on point #3 and lost sight of
points #1 and #2.
--
Cheers,
--MarkM