On Tue, Jan 12, 2010 at 2:19 PM, Tyler Close <[email protected]> wrote: > On Tue, Jan 12, 2010 at 12:54 PM, Adam Barth <[email protected]> wrote: >> In the current draft of UMP, the client can opt-in to UMP by choosing >> to use the UniformMessaging API, but the server is unable to force >> clients to use UMP because the way the server opts into the protocol >> is by returning the Access-Control-Allow-Origin header. >> Unfortunately, when the server returns the Access-Control-Allow-Origin >> header, the server also opts into the CORS and XDomainRequest >> protocols. The server operator might be reticent to opt into these >> protocols if he or she is worried about ambient authority. >> >> I recommend using a new header, like "Allow-Uniform-Messages: level-1" >> so that servers can opt into UMP specifically. > > I believe all three protocols attach the same semantics to the > "Access-Control-Allow-Origin: *" response header sent in response to a > GET or POST request. Unless you know of a significant difference in > the semantics, breaking compatibility seems unwarranted.
Let my phrase my question another way. Suppose the following situation: 1) I'm a server operator and I want to provide a resource to other web sites. 2) I've been reading public-webapps and I'm concerned about the ambient authority in CORS. How can I share my resource with other web sites and enjoy the security benefits of UMP? Adam
