Re: site-wide headers

Hi Martin,

On Wed, Sep 28, 2016 at 09:00:05PM +1000, Martin Thomson wrote:
> (
> I like this approach because it is more obviously composable into an
> existing system at the consuming end.  I especially like that the
> format is without opinion about its contents.  That makes it quite
> powerful.
> I dislike this approach (in contrast to the JSON-based
> origin-policy[1]) because it uses header fields.  Of course that makes
> it better suited to HTTP.

In fact that's what I find powerful here. I know *many* places where
these headers are set by the front reverse-proxy, simply because it
ensures that they're uniform across all the servers. But it also
happens that there are exceptions (eg: for static some servers or
certain unrelated applications). With this mechanism, there's almost
nothing to change in the way it works. The admin will just have to
add "HS" to the responses instead of adding all these header fields,
when the reverse-proxy notices that the client provided the valid SM
field. And it also ensures the proxy an simply remove HS: and replace
it with all appropriate headers when it comes from a server where it's
not appropriate at all (you know, some application developers like to
copy-paste when they don't know).

So in fact, it supports everything already supported today but the
smarter way. It's really nice in my opinion.


Received on Saturday, 1 October 2016 06:13:25 UTC