W3C home > Mailing lists > Public > public-webapps@w3.org > April to June 2010

Re: CORS Last Call status/plans? [Was: Re: [UMP] Request for Last Call]

From: Jonas Sicking <jonas@sicking.cc>
Date: Fri, 16 Apr 2010 17:52:07 -0700
Message-ID: <y2m63df84f1004161752yf23cb11er15ab200849d205bb@mail.gmail.com>
To: Anne van Kesteren <annevk@opera.com>
Cc: Arthur Barstow <Art.Barstow@nokia.com>, Tyler Close <tyler.close@gmail.com>, public-webapps <public-webapps@w3.org>
On Fri, Apr 16, 2010 at 5:29 PM, Anne van Kesteren <annevk@opera.com> wrote:
> On Thu, 15 Apr 2010 01:41:35 +0900, Tyler Close <tyler.close@gmail.com>
> wrote:
>>
>> If I produce a more comprehensive whitelist for UMP will CORS follow my
>> lead?
>
> I'm happy with whatever the browser security teams are happy with. Another
> way to expose more response headers might be to have a special response
> header whose value indicates which headers can be exposed.

I'm definitely of the opinion that "less is more" when it comes to
which headers are exposed by default. I think everything we expose by
default needs to provide solid value, so I'd like to hear use cases
for every header we expose. Why add risk if there is no value?

However I do like the idea of having a header which enumerates which
additional headers can be exposed. That seems like it'll add similar
value to exposing things by default, but with much less risk.

Didn't mnot suggest something like that as part of his HTTP review?

/ Jonas
Received on Saturday, 17 April 2010 00:52:55 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:38 GMT