Re: CORS Last Call status/plans? [Was: Re: [UMP] Request for Last Call] from Tyler Close on 2010-04-08 (public-webapps@w3.org from April to June 2010)

From: Tyler Close <tyler.close@gmail.com>
Date: Thu, 8 Apr 2010 10:56:21 -0700
To: Arthur Barstow <Art.Barstow@nokia.com>
Cc: ext Anne van Kesteren <annevk@opera.com>, public-webapps <public-webapps@w3.org>
Message-ID: <h2v5691356f1004081056k784f20e1vf9df9f3b7ec75bb@mail.gmail.com>

On Thu, Apr 8, 2010 at 5:39 AM, Arthur Barstow <Art.Barstow@nokia.com> wrote:
> Tyler - do any of these CORS issues apply to UMP?
>>>
>>>  Reduce the length of the header names?
>>>  http://www.w3.org/2008/webapps/track/issues/89

UMP uses one header: "Access-Control-Allow-Origin". The FPWD suggested
a new, shorter name for this header but no implementers voiced support
for it and the current header is deployed in several generations of
several major user-agents. I agree with mnot's argument that the
header names are both verbose and misleading. I'd be happy to
re-introduce the shorter header name if implementers sign-on; where
resources initially send both, user-agents check for either and
eventually resources send only the shorter header name.

In any case, this problem is both possible and feasible to solve. It's
just a matter of finding the will to solve it.

>>>  Exposing more (~infinite) response headers
>>>  http://www.w3.org/2008/webapps/track/issues/90

UMP does not require user-agents to do any filtering of response
headers beyond what is normally done by an HTTP client. Consequently,
an UMP resource author cannot rely on such filtering being done. There
might be an issue here if a CORS resource expects filtering to be done
and sends a dangerous response header in a uniform response to a
uniform request (so no request credentials, Origin:null, response
marked accessible to any origin and yet a dangerous response header is
sent with the hope the user-agent will filter it out). I'll track the
CORS resolution to this issue.

>>>  confused deputy problem
>>>  http://www.w3.org/2008/webapps/track/issues/108

UMP exists to address this issue.

>>>  CORS does not define the effect of the credentials flag in sufficient
>>> detail
>>>  http://www.w3.org/2008/webapps/track/issues/114

UMP exists to address this issue.

>>> And the latest ED includes 3 "red block" Issues.

UMP does not have a dependency on the Origin header and reuses the RFC
2616 terminology as is.

--Tyler

-- 
"Waterken News: Capability security on the Web"
http://waterken.sourceforge.net/recent.html

Received on Thursday, 8 April 2010 17:56:59 UTC