Re: CORS Last Call status/plans? [Was: Re: [UMP] Request for Last Call]

On Apr 19, 2010, at 12:13 PM, Jonas Sicking wrote: On Mon, Apr 19, 2010 at 11:47 AM, Tyler Close wrote: On Mon, Apr 19, 2010 at 11:39 AM, Jonas Sicking wrote: On Mon, Apr 19, 2010 at 11:30 AM, Maciej Stachowiak wrote: On Apr 19, 2010, at 10:06 AM, Tyler Close wrote: Uniform-Head

Re: CORS Last Call status/plans? [Was: Re: [UMP] Request for Last Call]

On 19.04.2010 20:30, Tyler Close wrote: ... Again: did you check all the headers in the permanent registry? If you did, why are the ones (which are just examples) missing? And what's the reason to default to strip general headers and response headers? Again, the model is to define a minimal wh

Re: CORS Last Call status/plans? [Was: Re: [UMP] Request for Last Call]

On Mon, Apr 19, 2010 at 11:47 AM, Tyler Close wrote: > On Mon, Apr 19, 2010 at 11:39 AM, Jonas Sicking wrote: >> On Mon, Apr 19, 2010 at 11:30 AM, Maciej Stachowiak wrote: >>> >>> On Apr 19, 2010, at 10:06 AM, Tyler Close wrote: >>>     Uniform-Headers = "Uniform-Headers" ":" ( "*" | #field

Re: CORS Last Call status/plans? [Was: Re: [UMP] Request for Last Call]

On Mon, Apr 19, 2010 at 11:39 AM, Jonas Sicking wrote: > On Mon, Apr 19, 2010 at 11:30 AM, Maciej Stachowiak wrote: >> >> On Apr 19, 2010, at 10:06 AM, Tyler Close wrote: >> >>>     Uniform-Headers = "Uniform-Headers" ":" ( "*" | #field-name ) >> >> [...] >> >>> Are Apple and/or Firefox intereste

Re: CORS Last Call status/plans? [Was: Re: [UMP] Request for Last Call]

On Mon, Apr 19, 2010 at 11:30 AM, Maciej Stachowiak wrote: > > On Apr 19, 2010, at 10:06 AM, Tyler Close wrote: > >>     Uniform-Headers = "Uniform-Headers" ":" ( "*" | #field-name ) > > [...] > >> Are Apple and/or Firefox interested in implementing the above? Does >> mnot or other HTTP WG members

Re: [UMP] Request for Last Call

On Wed, Apr 7, 2010 at 8:50 PM, Maciej Stachowiak wrote: On Thu, Apr 8, 2010 at 5:40 AM, Tyler Close wrote: > I think there is a burden on CORS to explain the > "Don't Be A Deputy" (DBAD) policy you've claimed enables developers to > safely use CORS. If this policy is fully explained to developer

Re: CORS Last Call status/plans? [Was: Re: [UMP] Request for Last Call]

On Apr 19, 2010, at 10:06 AM, Tyler Close wrote: Uniform-Headers = "Uniform-Headers" ":" ( "*" | #field-name ) [...] Are Apple and/or Firefox interested in implementing the above? Does mnot or other HTTP WG members consider the above a satisfactory solution to ISSUE-90? I'm intereste

Re: CORS Last Call status/plans? [Was: Re: [UMP] Request for Last Call]

On Mon, Apr 19, 2010 at 10:55 AM, Julian Reschke wrote: > On 19.04.2010 19:37, Tyler Close wrote: The default members of the above whitelist include response entity headers defined by [HTTP], plus the Location and Warning headers. The >>> >>> Why are you ignoring other headers in th

Re: CORS Last Call status/plans? [Was: Re: [UMP] Request for Last Call]

On 19.04.2010 19:37, Tyler Close wrote: The default members of the above whitelist include response entity headers defined by [HTTP], plus the Location and Warning headers. The Why are you ignoring other headers in the permanent registry? Why only allow entity headers? What the problem, for ins

Re: CORS Last Call status/plans? [Was: Re: [UMP] Request for Last Call]

On Mon, Apr 19, 2010 at 10:20 AM, Julian Reschke wrote: > On 19.04.2010 19:06, Tyler Close wrote: >> >> ... >> 4.2 Response Header Filtering >> >> Some HTTP servers construct an HTTP response in multiple stages. In >> such a deployment, an earlier stage might produce a uniform response >> which is

Re: CORS Last Call status/plans? [Was: Re: [UMP] Request for Last Call]

On 19.04.2010 19:06, Tyler Close wrote: ... 4.2 Response Header Filtering Some HTTP servers construct an HTTP response in multiple stages. In such a deployment, an earlier stage might produce a uniform response which is augmented with additional response headers by a later stage that does not un

Re: CORS Last Call status/plans? [Was: Re: [UMP] Request for Last Call]

On Mon, Apr 19, 2010 at 12:41 AM, Maciej Stachowiak wrote: > I think a whitelist with opt-in exceptions strikes the right balance between > security and extensibility. You haven't provided any reasons why that's not > good enough. Along those lines, I propose to modify UMP as follows: """ 4.1 Un

Re: CORS Last Call status/plans? [Was: Re: [UMP] Request for Last Call]

On 19.04.2010 17:44, Jonas Sicking wrote: On Mon, Apr 19, 2010 at 1:11 AM, Julian Reschke wrote: On 19.04.2010 10:03, Maciej Stachowiak wrote: ... I already did. If multiple layers blocked unknown response headers, and each needed a separate way to opt them back in, we'd be in trouble. Bu

Re: CORS Last Call status/plans? [Was: Re: [UMP] Request for Last Call]

On Mon, Apr 19, 2010 at 1:11 AM, Julian Reschke wrote: > On 19.04.2010 10:03, Maciej Stachowiak wrote: >> >> ... >>> >>> I already did. If multiple layers blocked unknown response headers, >>> and each needed a separate way to opt them back in, we'd be in trouble. >> >> But that's not the case her

Re: CORS Last Call status/plans? [Was: Re: [UMP] Request for Last Call]

On 19.04.2010 10:03, Maciej Stachowiak wrote: ... I already did. If multiple layers blocked unknown response headers, and each needed a separate way to opt them back in, we'd be in trouble. But that's not the case here. The blocking is solely at the API surface. No one is suggesting that proxi

Re: CORS Last Call status/plans? [Was: Re: [UMP] Request for Last Call]

On Apr 19, 2010, at 12:49 AM, Julian Reschke wrote: On 19.04.2010 09:41, Maciej Stachowiak wrote: ... This obviously would be impossible if another layer (say proxies) would already block that. It wouldn't be impossible, it just wouldn't have the desired end-to- end effect. But proxies ar

Re: CORS Last Call status/plans? [Was: Re: [UMP] Request for Last Call]

On 19.04.2010 09:41, Maciej Stachowiak wrote: ... This obviously would be impossible if another layer (say proxies) would already block that. It wouldn't be impossible, it just wouldn't have the desired end-to-end effect. But proxies are already not allowed to remove random response headers. .

Re: CORS Last Call status/plans? [Was: Re: [UMP] Request for Last Call]

On Apr 19, 2010, at 12:37 AM, Julian Reschke wrote: On 19.04.2010 09:27, Maciej Stachowiak wrote: On Apr 18, 2010, at 9:56 AM, Julian Reschke wrote: On 18.04.2010 14:35, Ben Laurie wrote: In general, whitelists are bad because they close extension points. Please consider using a black list

Re: CORS Last Call status/plans? [Was: Re: [UMP] Request for Last Call]

On 19.04.2010 09:27, Maciej Stachowiak wrote: On Apr 18, 2010, at 9:56 AM, Julian Reschke wrote: On 18.04.2010 14:35, Ben Laurie wrote: In general, whitelists are bad because they close extension points. Please consider using a black list instead. In general, blacklists are bad because they

Re: CORS Last Call status/plans? [Was: Re: [UMP] Request for Last Call]

On Apr 18, 2010, at 9:56 AM, Julian Reschke wrote: On 18.04.2010 14:35, Ben Laurie wrote: In general, whitelists are bad because they close extension points. Please consider using a black list instead. In general, blacklists are bad because they open security holes. My experience i

Re: CORS Last Call status/plans? [Was: Re: [UMP] Request for Last Call]

On Apr 18, 2010, at 4:48 AM, Julian Reschke wrote: In general, whitelists are bad because they close extension points. Please consider using a black list instead. But blacklists are worse for security, and security is the prime consideration here. Regards, Maciej

Re: CORS Last Call status/plans? [Was: Re: [UMP] Request for Last Call]

* Tyler Close wrote: >If Mozilla agrees to implement it, I'd like UMP to specify a new >header named "U" whose value is either "*" or a list of allowed >response headers. A response with this header is opting out of Same >Origin Policy protection for both the response entity and the listed >respons

Re: CORS Last Call status/plans? [Was: Re: [UMP] Request for Last Call]

On Mon, 19 Apr 2010 05:29:12 +0900, Tyler Close wrote: On Fri, Apr 16, 2010 at 5:52 PM, Jonas Sicking wrote: However I do like the idea of having a header which enumerates which additional headers can be exposed. That seems like it'll add similar value to exposing things by default, but with

Re: CORS Last Call status/plans? [Was: Re: [UMP] Request for Last Call]

On 18.04.2010 22:29, Tyler Close wrote: If Mozilla agrees to implement it, I'd like UMP to specify a new header named "U" whose value is either "*" or a list of allowed response headers. A response with this header is opting out of Same Origin Policy protection for both the response entity and th

Re: CORS Last Call status/plans? [Was: Re: [UMP] Request for Last Call]

On Fri, Apr 16, 2010 at 5:52 PM, Jonas Sicking wrote: > However I do like the idea of having a header which enumerates which > additional headers can be exposed. That seems like it'll add similar > value to exposing things by default, but with much less risk. > > Didn't mnot suggest something like

Re: CORS Last Call status/plans? [Was: Re: [UMP] Request for Last Call]

On 18.04.2010 14:35, Ben Laurie wrote: In general, whitelists are bad because they close extension points. Please consider using a black list instead. In general, blacklists are bad because they open security holes. My experience is that people work around white lists by tunneling in

Re: CORS Last Call status/plans? [Was: Re: [UMP] Request for Last Call]

On 18 April 2010 07:48, Julian Reschke wrote: > On 14.04.2010 20:20, Tyler Close wrote: > >> On Wed, Apr 14, 2010 at 9:41 AM, Tyler Close >> wrote: >> >>> I have been studying CORS ISSUE-90 >>> , so as to bring UMP >>> into line with this part of C

Re: CORS Last Call status/plans? [Was: Re: [UMP] Request for Last Call]

On 14.04.2010 20:57, Tyler Close wrote: ... Alternatively, instead of drawing the line at the HTTP spec, we could draw it based on functionality. The following list includes all end-to-end response entity headers, as well as all headers used for caching and redirection: ... Well, it does not; t

Re: CORS Last Call status/plans? [Was: Re: [UMP] Request for Last Call]

On 14.04.2010 20:20, Tyler Close wrote: On Wed, Apr 14, 2010 at 9:41 AM, Tyler Close wrote: I have been studying CORS ISSUE-90 , so as to bring UMP into line with this part of CORS. I can't find any pattern or rationale to the selection of headers

Re: CORS Last Call status/plans? [Was: Re: [UMP] Request for Last Call]

On Fri, Apr 16, 2010 at 5:29 PM, Anne van Kesteren wrote: > On Thu, 15 Apr 2010 01:41:35 +0900, Tyler Close > wrote: >> >> If I produce a more comprehensive whitelist for UMP will CORS follow my >> lead? > > I'm happy with whatever the browser security teams are happy with. Another > way to expos

Re: CORS Last Call status/plans? [Was: Re: [UMP] Request for Last Call]

On Thu, 15 Apr 2010 01:41:35 +0900, Tyler Close wrote: If I produce a more comprehensive whitelist for UMP will CORS follow my lead? I'm happy with whatever the browser security teams are happy with. Another way to expose more response headers might be to have a special response header w

Re: CORS Last Call status/plans? [Was: Re: [UMP] Request for Last Call]

On Wed, Apr 14, 2010 at 11:20 AM, Tyler Close wrote: > On Wed, Apr 14, 2010 at 9:41 AM, Tyler Close wrote: >> I have been studying CORS ISSUE-90 >> , so as to bring UMP >> into line with this part of CORS. I can't find any pattern or >> rationale to

Re: CORS Last Call status/plans? [Was: Re: [UMP] Request for Last Call]

On Wed, Apr 14, 2010 at 9:41 AM, Tyler Close wrote: > I have been studying CORS ISSUE-90 > , so as to bring UMP > into line with this part of CORS. I can't find any pattern or > rationale to the selection of headers on the whitelist versus those > no

Re: CORS Last Call status/plans? [Was: Re: [UMP] Request for Last Call]

I have been studying CORS ISSUE-90 , so as to bring UMP into line with this part of CORS. I can't find any pattern or rationale to the selection of headers on the whitelist versus those not on the whitelist. Does anyone know where this list came from

Re: [UMP] Request for Last Call

On Fri, 09 Apr 2010 12:35:49 +0200, Mark S. Miller wrote: If it is a subset, then everyone who intends on implementing either CORS or UMP intends on implementing UMP. No, that just happens by accident. I don't think anybody implements CORS in the way yet that gives you UMP-type of requests

Re: [UMP] Request for Last Call

On Fri, Apr 9, 2010 at 2:08 AM, Anne van Kesteren wrote: > On Thu, 08 Apr 2010 00:44:07 +0200, Mark S. Miller > wrote: > >> Since then, both CORS and UMP have changed so that UMP is now a subset >> of CORS. Since advocacy of CORS includes agreement with this subset, >> absent a third position, U

Re: [UMP] Request for Last Call

On Thu, 08 Apr 2010 00:44:07 +0200, Mark S. Miller wrote: Since then, both CORS and UMP have changed so that UMP is now a subset of CORS. Since advocacy of CORS includes agreement with this subset, absent a third position, UMP is the mutually agreed subset of the two camps. If it is a subset

Re: [UMP] Request for Last Call

On Apr 8, 2010, at 5:40 AM, Tyler Close wrote: Reading between the lines, and please correct me if I'm mistaken, I suspect what you're really saying is that you don't want two specs to exist and you feel committed to CORS. I'm saying the latter, but not the former. So long as UMP is a subse

Re: [UMP] Request for Last Call

On Apr 8, 2010, at 6:42 AM, Tyler Close wrote: On Thu, Apr 8, 2010 at 5:08 AM, Arthur Barstow wrote: Re the relationship between CORS and UMP, I believe the last thread on that subject was the following exchange between Mark and Maceij on February 3: http://lists.w3.org/Archives/Public

Re: CORS Last Call status/plans? [Was: Re: [UMP] Request for Last Call]

On Thu, Apr 8, 2010 at 5:39 AM, Arthur Barstow wrote: > Tyler - do any of these CORS issues apply to UMP? >>> >>>  Reduce the length of the header names? >>>  http://www.w3.org/2008/webapps/track/issues/89 UMP uses one header: "Access-Control-Allow-Origin". The FPWD suggested a new, shorter name

Re: [UMP] Request for Last Call

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 4/7/2010 9:50 PM, Maciej Stachowiak wrote: > > On Apr 7, 2010, at 3:01 PM, Marcos Caceres wrote: > >> >> Are there any vendors considering dropping support for CORS in favor of just supporting UMP? >> >> This question is quite

Re: [UMP] Request for Last Call

On Thu, Apr 8, 2010 at 3:42 PM, Tyler Close wrote: > On Thu, Apr 8, 2010 at 5:08 AM, Arthur Barstow wrote: >> Re the relationship between CORS and UMP, I believe the last thread on that >> subject was the following exchange between Mark and Maceij on February 3: >> >>  http://lists.w3.org/Archive

Re: [UMP] Request for Last Call

On Thu, Apr 8, 2010 at 5:08 AM, Arthur Barstow wrote: > We also have the Comparison of CORS and UMP document: > >  http://www.w3.org/Security/wiki/Comparison_of_CORS_and_UM > > If we are going to continue with two separate specs, I think it is important > re expectations from Members and the Publ

Re: [UMP] Request for Last Call

On Thu, Apr 8, 2010 at 5:08 AM, Arthur Barstow wrote: > Re the relationship between CORS and UMP, I believe the last thread on that > subject was the following exchange between Mark and Maceij on February 3: > >  http://lists.w3.org/Archives/Public/public-webapps/2010JanMar/0462.html > > (Neither

Re: [UMP] Request for Last Call

On Thu, Apr 8, 2010 at 5:44 AM, Marcos Caceres wrote: > To me personally, it only really makes sense for UMP to be merged into CORS. > Having both specs is confusing. Given that we've created a superset-subset relationship between CORS and UMP, we don't have divergent specs for the same functiona

Re: [UMP] Request for Last Call

On 8/04/10 2:40 PM, Tyler Close wrote: On Wed, Apr 7, 2010 at 8:50 PM, Maciej Stachowiak wrote: Here's what I can tell you about Apple's current thinking: - We are currently shipping support CORS via XMLHttpRequest in Safari and WebKit. - We do not plan to drop support for CORS. - We do not

Re: CORS Last Call status/plans? [Was: Re: [UMP] Request for Last Call]

Anne - for any of the issues you want to close, please propose a resolution with at least a 1-week review period. Tyler - do any of these CORS issues apply to UMP? -Art Barstow On Apr 7, 2010, at 10:22 AM, ext Anne van Kesteren wrote: On Wed, 07 Apr 2010 16:06:55 +0200, Arthur Barstow wr

Re: [UMP] Request for Last Call

On Wed, Apr 7, 2010 at 8:50 PM, Maciej Stachowiak wrote: > Here's what I can tell you about Apple's current thinking: > > - We are currently shipping support CORS via XMLHttpRequest in Safari and > WebKit. > - We do not plan to drop support for CORS. > - We do not plan to implement UMP directly fr

Re: [UMP] Request for Last Call

On Apr 7, 2010, at 4:19 PM, ext Mark S. Miller wrote: On Wed, Apr 7, 2010 at 2:54 AM, Anne van Kesteren wrote: On Tue, 06 Apr 2010 22:12:33 +0200, Tyler Close wrote: I've uploaded a new draft of the Uniform Messaging Policy to: http://dev.w3.org/2006/waf/UMP/ This version adopts the sa

Re: [UMP] Request for Last Call

On Apr 7, 2010, at 3:01 PM, Marcos Caceres wrote: Are there any vendors considering dropping support for CORS in favor of just supporting UMP? This question is quite relevant and I think deserves an answer. It gives the WG a real idea about concensus if there is buy-in to implement; tho

Re: [UMP] Request for Last Call

On Wed, Apr 7, 2010 at 3:01 PM, Marcos Caceres wrote: > Hi Mark, > > On Wednesday, April 7, 2010, Mark S. Miller wrote: >> On Wed, Apr 7, 2010 at 2:54 AM, Anne van Kesteren wrote: >>> On Tue, 06 Apr 2010 22:12:33 +0200, Tyler Close [...] I believe the current editor's draft of UMP reflects

Re: [UMP] Request for Last Call

Hi Mark, On Wednesday, April 7, 2010, Mark S. Miller wrote: > On Wed, Apr 7, 2010 at 2:54 AM, Anne van Kesteren wrote: >> On Tue, 06 Apr 2010 22:12:33 +0200, Tyler Close >> wrote: >>> >>> I've uploaded a new draft of the Uniform Messaging Policy to: >>> >>> http://dev.w3.org/2006/waf/UMP/ >>> >

Re: [UMP] Request for Last Call

On Wed, Apr 7, 2010 at 2:54 AM, Anne van Kesteren wrote: > On Tue, 06 Apr 2010 22:12:33 +0200, Tyler Close > wrote: >> >> I've uploaded a new draft of the Uniform Messaging Policy to: >> >> http://dev.w3.org/2006/waf/UMP/ >> >> This version adopts the same redirect handling specified by CORS. Wit

Re: CORS Last Call status/plans? [Was: Re: [UMP] Request for Last Call]

On Wed, 07 Apr 2010 16:06:55 +0200, Arthur Barstow wrote: What is the status and plan to get CORS ready for Last Call? I've mostly been waiting to see what happens with UMP. What I've heard so far from various implementors is that they want to keep CORS and add the ability to XMLHttpReque

CORS Last Call status/plans? [Was: Re: [UMP] Request for Last Call]

What is the status and plan to get CORS ready for Last Call? I see the following related "Raised" Issues: Reduce the length of the header names? http://www.w3.org/2008/webapps/track/issues/89 Exposing more (~infinite) response headers http://www.w3.org/2008/webapps/track/issues/90 confuse

Re: [UMP] Request for Last Call

On Wed, 07 Apr 2010 11:54:14 +0200, Anne van Kesteren wrote: Since this is just a superset of CORS I wonder why we need it. Are there any vendors considering dropping support for CORS in favor of just supporting UMP? Just in case it was not clear, I meant subset. My bad! -- Anne van Kest

Re: [UMP] Request for Last Call

On Tue, 06 Apr 2010 22:12:33 +0200, Tyler Close wrote: I've uploaded a new draft of the Uniform Messaging Policy to: http://dev.w3.org/2006/waf/UMP/ This version adopts the same redirect handling specified by CORS. With this change I believe there are no outstanding issues with UMP. The late

[UMP] Request for Last Call

I've uploaded a new draft of the Uniform Messaging Policy to: http://dev.w3.org/2006/waf/UMP/ This version adopts the same redirect handling specified by CORS. With this change I believe there are no outstanding issues with UMP. The latest version also includes clarifications on the use of HTTP