W3C home > Mailing lists > Public > public-webapps@w3.org > April to June 2010

Re: CORS Last Call status/plans? [Was: Re: [UMP] Request for Last Call]

From: Jonas Sicking <jonas@sicking.cc>
Date: Mon, 19 Apr 2010 08:44:15 -0700
Message-ID: <s2n63df84f1004190844ka2837cc2wd6f0b123bbe2183b@mail.gmail.com>
To: Julian Reschke <julian.reschke@gmx.de>
Cc: Maciej Stachowiak <mjs@apple.com>, Ben Laurie <benl@google.com>, Tyler Close <tyler.close@gmail.com>, Arthur Barstow <Art.Barstow@nokia.com>, ext Anne van Kesteren <annevk@opera.com>, public-webapps <public-webapps@w3.org>
On Mon, Apr 19, 2010 at 1:11 AM, Julian Reschke <julian.reschke@gmx.de> wrote:
> On 19.04.2010 10:03, Maciej Stachowiak wrote:
>>
>> ...
>>>
>>> I already did. If multiple layers blocked unknown response headers,
>>> and each needed a separate way to opt them back in, we'd be in trouble.
>>
>> But that's not the case here. The blocking is solely at the API surface.
>> No one is suggesting that proxies should block unknown response headers.
>> ...
>
> For the application, it's totally irrelevant who's blocking the header. If
> it's blocked, it can't be used, and people *will* come up with ugly
> workarounds which are likely to cause even more problems in the future.

Unfortunately a blacklist approach is simply not safe enough. Fixing
security problems as they come up is not good enough as the turnaround
time is much too slow.

/ Jonas
Received on Monday, 19 April 2010 15:45:10 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:38 GMT