On Tue, 11 May 2010 19:48:57 +0200, Tyler Close <tyler.cl...@gmail.com>
wrote:
Firefox, Chrome and Caja have now all declared an interest in
implementing UMP. Opera and Safari have both declared an interest in
implementing the functionality defined in UMP under the name CORS. I
think it's clear that UMP has sufficient implementor interest to
proceed along the standardization path.
In the discussion on chromium-dev, Adam Barth wrote:
"""
Putting these together, it looks like we want a separate UMP
specification for web developers and a combined CORS+UMP specification
for user agent implementors. Consequently, I think it makes sense for
the working group to publish UMP separately from CORS but have all the
user agent conformance requirements in the combined CORS+UMP document.
"""
See:
http://groups.google.com/a/chromium.org/group/chromium-dev/msg/4793e08f8ec98914?hl=en_US
I think this is a satisfactory compromise and conclusion to the
current debate. Anne, are you willing to adopt this strategy? If so, I
think there needs to be a normative statement in the CORS spec that
identifies the algorithms and corresponding inputs that implement UMP.
I don't understand. As far as I can tell Adam suggests making UMP an
authoring guide. Why would CORS need to normatively depend on it?
Before sending UMP to Last Call, we need a CORS and UMP agreement on
response header filtering. We need to reconcile the following two
sections:
http://dev.w3.org/2006/waf/access-control/#handling-a-response-to-a-cross-origin-re
and
http://dev.w3.org/2006/waf/UMP/#response-header-filtering
Remaining subset issues around caching and credentials can be
addressed with editorial changes to CORS. I'll provide more detail in
a later email, assuming we've reached a compromise.
I think we first need to figure out whether we want to rename headers or
not, before any draft goes to Last Call, especially if UMP wants to remain
a subset of some sorts.
--
Anne van Kesteren
http://annevankesteren.nl/
