W3C home > Mailing lists > Public > public-webapps@w3.org > April to June 2010

Re: CORS Last Call status/plans? [Was: Re: [UMP] Request for Last Call]

From: Julian Reschke <julian.reschke@gmx.de>
Date: Sun, 18 Apr 2010 13:48:13 +0200
Message-ID: <4BCAF17D.5080205@gmx.de>
To: Tyler Close <tyler.close@gmail.com>
CC: Arthur Barstow <Art.Barstow@nokia.com>, ext Anne van Kesteren <annevk@opera.com>, public-webapps <public-webapps@w3.org>
On 14.04.2010 20:20, Tyler Close wrote:
> On Wed, Apr 14, 2010 at 9:41 AM, Tyler Close<tyler.close@gmail.com>  wrote:
>> I have been studying CORS ISSUE-90
>> <http://www.w3.org/2008/webapps/track/issues/90>, so as to bring UMP
>> into line with this part of CORS. I can't find any pattern or
>> rationale to the selection of headers on the whitelist versus those
>> not on the whitelist. Does anyone know where this list came from and
>> how it was produced?
>>
>> If I produce a more comprehensive whitelist for UMP will CORS follow my lead?
>
> The following whitelist includes all end-to-end response headers
> defined by HTTP, unless there is a specific security risk:
>
> # Age
> # Allow
> # Cache-Control
> # Content-Disposition
> # Content-Encoding
> # Content-Language
> # Content-Length
> # Content-Location
> # Content-MD5
> # Content-Range
> # Content-Type
> # Date
> # ETag
> # Expires
> # Last-Modified
> # Location
> # MIME-Version
> # Pragma
> # Retry-After
> # Server
> # Vary
> # Warning
>
> Does anyone object to making this the new whitelist for both CORS and UMP?

In general, whitelists are bad because they close extension points. 
Please consider using a black list instead.

Best regards, Julian
Received on Sunday, 18 April 2010 11:48:47 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:38 GMT