- From: Jonas Sicking <jonas@sicking.cc>
- Date: Fri, 16 Apr 2010 17:52:07 -0700
- To: Anne van Kesteren <annevk@opera.com>
- Cc: Arthur Barstow <Art.Barstow@nokia.com>, Tyler Close <tyler.close@gmail.com>, public-webapps <public-webapps@w3.org>
On Fri, Apr 16, 2010 at 5:29 PM, Anne van Kesteren <annevk@opera.com> wrote: > On Thu, 15 Apr 2010 01:41:35 +0900, Tyler Close <tyler.close@gmail.com> > wrote: >> >> If I produce a more comprehensive whitelist for UMP will CORS follow my >> lead? > > I'm happy with whatever the browser security teams are happy with. Another > way to expose more response headers might be to have a special response > header whose value indicates which headers can be exposed. I'm definitely of the opinion that "less is more" when it comes to which headers are exposed by default. I think everything we expose by default needs to provide solid value, so I'd like to hear use cases for every header we expose. Why add risk if there is no value? However I do like the idea of having a header which enumerates which additional headers can be exposed. That seems like it'll add similar value to exposing things by default, but with much less risk. Didn't mnot suggest something like that as part of his HTTP review? / Jonas
Received on Saturday, 17 April 2010 00:52:55 UTC