On Mon, Apr 12, 2010 at 3:10 PM, Tyler Close <[email protected]> wrote: >> I think even taken together, your set of subset conditions does guarantee >> that a CORS client implementation is automatically also a UMP client >> implementation. If we went that way, then we would have to consider whether >> there will ever be client implementors of UMP itself, or it will be >> impossible to fulfill CR exit criteria. > > If there are implementers of CORS, then by definition, there are > implementers of UMP. I don't see anything in CR exit criteria that > requires implementers to swear not to also implement other > specifications.
So is sending the 'Origin' and 'Referer' headers ok per UMP? The current CORS implementation in firefox always sends those headers. I would have imagined that UMP would explicitly forbid any ambient authority or identity information other than IP number? / Jonas
