Re: CORS Last Call status/plans? [Was: Re: [UMP] Request for Last Call]

On 14.04.2010 20:20, Tyler Close wrote:
> On Wed, Apr 14, 2010 at 9:41 AM, Tyler Close<tyler.close@gmail.com>  wrote:
>> I have been studying CORS ISSUE-90
>> <http://www.w3.org/2008/webapps/track/issues/90>, so as to bring UMP
>> into line with this part of CORS. I can't find any pattern or
>> rationale to the selection of headers on the whitelist versus those
>> not on the whitelist. Does anyone know where this list came from and
>> how it was produced?
>>
>> If I produce a more comprehensive whitelist for UMP will CORS follow my lead?
>
> The following whitelist includes all end-to-end response headers
> defined by HTTP, unless there is a specific security risk:
>
> # Age
> # Allow
> # Cache-Control
> # Content-Disposition
> # Content-Encoding
> # Content-Language
> # Content-Length
> # Content-Location
> # Content-MD5
> # Content-Range
> # Content-Type
> # Date
> # ETag
> # Expires
> # Last-Modified
> # Location
> # MIME-Version
> # Pragma
> # Retry-After
> # Server
> # Vary
> # Warning
>
> Does anyone object to making this the new whitelist for both CORS and UMP?

In general, whitelists are bad because they close extension points. 
Please consider using a black list instead.

Best regards, Julian

Received on Sunday, 18 April 2010 11:48:47 UTC