Re: CORS Last Call status/plans? [Was: Re: [UMP] Request for Last Call]

On Fri, Apr 16, 2010 at 5:29 PM, Anne van Kesteren <annevk@opera.com> wrote:
> On Thu, 15 Apr 2010 01:41:35 +0900, Tyler Close <tyler.close@gmail.com>
> wrote:
>>
>> If I produce a more comprehensive whitelist for UMP will CORS follow my
>> lead?
>
> I'm happy with whatever the browser security teams are happy with. Another
> way to expose more response headers might be to have a special response
> header whose value indicates which headers can be exposed.

I'm definitely of the opinion that "less is more" when it comes to
which headers are exposed by default. I think everything we expose by
default needs to provide solid value, so I'd like to hear use cases
for every header we expose. Why add risk if there is no value?

However I do like the idea of having a header which enumerates which
additional headers can be exposed. That seems like it'll add similar
value to exposing things by default, but with much less risk.

Didn't mnot suggest something like that as part of his HTTP review?

/ Jonas

Received on Saturday, 17 April 2010 00:52:55 UTC