W3C home > Mailing lists > Public > public-webapps@w3.org > April to June 2010

Re: CORS Last Call status/plans? [Was: Re: [UMP] Request for Last Call]

From: Ben Laurie <benl@google.com>
Date: Sun, 18 Apr 2010 08:35:46 -0400
Message-ID: <q2m1b587cab1004180535q57a5bf00qf1c8d78d1c1dd488@mail.gmail.com>
To: Julian Reschke <julian.reschke@gmx.de>
Cc: Tyler Close <tyler.close@gmail.com>, Arthur Barstow <Art.Barstow@nokia.com>, ext Anne van Kesteren <annevk@opera.com>, public-webapps <public-webapps@w3.org>
On 18 April 2010 07:48, Julian Reschke <julian.reschke@gmx.de> wrote:

> On 14.04.2010 20:20, Tyler Close wrote:
>
>> On Wed, Apr 14, 2010 at 9:41 AM, Tyler Close<tyler.close@gmail.com>
>>  wrote:
>>
>>> I have been studying CORS ISSUE-90
>>> <http://www.w3.org/2008/webapps/track/issues/90>, so as to bring UMP
>>> into line with this part of CORS. I can't find any pattern or
>>> rationale to the selection of headers on the whitelist versus those
>>> not on the whitelist. Does anyone know where this list came from and
>>> how it was produced?
>>>
>>> If I produce a more comprehensive whitelist for UMP will CORS follow my
>>> lead?
>>>
>>
>> The following whitelist includes all end-to-end response headers
>> defined by HTTP, unless there is a specific security risk:
>>
>> # Age
>> # Allow
>> # Cache-Control
>> # Content-Disposition
>> # Content-Encoding
>> # Content-Language
>> # Content-Length
>> # Content-Location
>> # Content-MD5
>> # Content-Range
>> # Content-Type
>> # Date
>> # ETag
>> # Expires
>> # Last-Modified
>> # Location
>> # MIME-Version
>> # Pragma
>> # Retry-After
>> # Server
>> # Vary
>> # Warning
>>
>> Does anyone object to making this the new whitelist for both CORS and UMP?
>>
>
> In general, whitelists are bad because they close extension points. Please
> consider using a black list instead.
>

In general, blacklists are bad because they open security holes.
Received on Sunday, 18 April 2010 12:36:18 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:38 GMT