Hi Maciej and Tyler, IMO, the important subsetting points, in priority order, are:
1) Server-side behavior compatible with UMP is automatically compatible with CORS and with present CORS-like browser behaviors. 2) The client-side mechanisms one needs to implement UMP correctly are a small subset of the mechanisms one needs to implement CORS. Having made the investment in implementing CORS-like mechanisms, no significant further internal mechanism is needed to implement UMP. (Indeed, I wouldn't be surprised if one could derive an UMP implementation from a CORS implementation mostly by commenting out code.) 3) Given other proposals already on the table -- CORS and unique-origin iframes -- one could build the proposed xhr-like UniformRequest API as a library on top. Though these requests would include an unneeded "Origin: null" header, such a header is not a credential and so would not violate any MUST in UMP. The messages would still be Uniform. I think this thread has focussed exclusively on point #3 and lost sight of points #1 and #2. -- Cheers, --MarkM