W3C home > Mailing lists > Public > public-webapps@w3.org > April to June 2010

Re: CORS Last Call status/plans? [Was: Re: [UMP] Request for Last Call]

From: Julian Reschke <julian.reschke@gmx.de>
Date: Mon, 19 Apr 2010 09:49:12 +0200
Message-ID: <4BCC0AF8.9060300@gmx.de>
To: Maciej Stachowiak <mjs@apple.com>
CC: Ben Laurie <benl@google.com>, Tyler Close <tyler.close@gmail.com>, Arthur Barstow <Art.Barstow@nokia.com>, ext Anne van Kesteren <annevk@opera.com>, public-webapps <public-webapps@w3.org>
On 19.04.2010 09:41, Maciej Stachowiak wrote:
> ...
>> This obviously would be impossible if another layer (say proxies)
>> would already block that.
>
> It wouldn't be impossible, it just wouldn't have the desired end-to-end
> effect. But proxies are already not allowed to remove random response
> headers.
> ...

Whatever the rule is for proxies should be the rule for a software layer 
as well. What's relevant is the impact on the application.

>> Don't do to others what you don't want to be done to yourself.
>>
>> Blacklist things when there is a problem.
>
> I think a whitelist with opt-in exceptions strikes the right balance
> between security and extensibility. You haven't provided any reasons why
> that's not good enough.

I already did. If multiple layers blocked unknown response headers, and 
each needed a separate way to opt them back in, we'd be in trouble.

Best regards, Julian
Received on Monday, 19 April 2010 07:50:06 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:38 GMT