- From: Julian Reschke <julian.reschke@gmx.de>
- Date: Sun, 18 Apr 2010 13:48:13 +0200
- To: Tyler Close <tyler.close@gmail.com>
- CC: Arthur Barstow <Art.Barstow@nokia.com>, ext Anne van Kesteren <annevk@opera.com>, public-webapps <public-webapps@w3.org>
On 14.04.2010 20:20, Tyler Close wrote: > On Wed, Apr 14, 2010 at 9:41 AM, Tyler Close<tyler.close@gmail.com> wrote: >> I have been studying CORS ISSUE-90 >> <http://www.w3.org/2008/webapps/track/issues/90>, so as to bring UMP >> into line with this part of CORS. I can't find any pattern or >> rationale to the selection of headers on the whitelist versus those >> not on the whitelist. Does anyone know where this list came from and >> how it was produced? >> >> If I produce a more comprehensive whitelist for UMP will CORS follow my lead? > > The following whitelist includes all end-to-end response headers > defined by HTTP, unless there is a specific security risk: > > # Age > # Allow > # Cache-Control > # Content-Disposition > # Content-Encoding > # Content-Language > # Content-Length > # Content-Location > # Content-MD5 > # Content-Range > # Content-Type > # Date > # ETag > # Expires > # Last-Modified > # Location > # MIME-Version > # Pragma > # Retry-After > # Server > # Vary > # Warning > > Does anyone object to making this the new whitelist for both CORS and UMP? In general, whitelists are bad because they close extension points. Please consider using a black list instead. Best regards, Julian
Received on Sunday, 18 April 2010 11:48:47 UTC