Re: CORS Last Call status/plans? [Was: Re: [UMP] Request for Last Call]

On 18 April 2010 07:48, Julian Reschke <julian.reschke@gmx.de> wrote:

> On 14.04.2010 20:20, Tyler Close wrote:
>
>> On Wed, Apr 14, 2010 at 9:41 AM, Tyler Close<tyler.close@gmail.com>
>>  wrote:
>>
>>> I have been studying CORS ISSUE-90
>>> <http://www.w3.org/2008/webapps/track/issues/90>, so as to bring UMP
>>> into line with this part of CORS. I can't find any pattern or
>>> rationale to the selection of headers on the whitelist versus those
>>> not on the whitelist. Does anyone know where this list came from and
>>> how it was produced?
>>>
>>> If I produce a more comprehensive whitelist for UMP will CORS follow my
>>> lead?
>>>
>>
>> The following whitelist includes all end-to-end response headers
>> defined by HTTP, unless there is a specific security risk:
>>
>> # Age
>> # Allow
>> # Cache-Control
>> # Content-Disposition
>> # Content-Encoding
>> # Content-Language
>> # Content-Length
>> # Content-Location
>> # Content-MD5
>> # Content-Range
>> # Content-Type
>> # Date
>> # ETag
>> # Expires
>> # Last-Modified
>> # Location
>> # MIME-Version
>> # Pragma
>> # Retry-After
>> # Server
>> # Vary
>> # Warning
>>
>> Does anyone object to making this the new whitelist for both CORS and UMP?
>>
>
> In general, whitelists are bad because they close extension points. Please
> consider using a black list instead.
>

In general, blacklists are bad because they open security holes.

Received on Sunday, 18 April 2010 12:36:18 UTC