It's implemented in Canary and Dev. I don't recall if we got it in before the latest branch point; might or might not be in Beta shortly.
Regarding the fallback behavior, sounds like something worth raising on public-w webappsec. I'm fairly sure it's the behavior the spec mandates, but I'm certainly open to changing it (as well as the combination behavior, which might not really be workable (and which we haven't implemented yet)).
-mike (on a phone)
Thanks!
I think I will just discuss the extensibility issues at appsec cali with various folks and then email it out to webappsec.