W3C home > Mailing lists > Public > public-webapps@w3.org > April to June 2010

Re: CORS Last Call status/plans? [Was: Re: [UMP] Request for Last Call]

From: Julian Reschke <julian.reschke@gmx.de>
Date: Sun, 18 Apr 2010 18:56:01 +0200
Message-ID: <4BCB39A1.6070407@gmx.de>
To: Ben Laurie <benl@google.com>
CC: Tyler Close <tyler.close@gmail.com>, Arthur Barstow <Art.Barstow@nokia.com>, ext Anne van Kesteren <annevk@opera.com>, public-webapps <public-webapps@w3.org>
On 18.04.2010 14:35, Ben Laurie wrote:
>     In general, whitelists are bad because they close extension points.
>     Please consider using a black list instead.
> In general, blacklists are bad because they open security holes.

My experience is that people work around white lists by tunneling 
information through the parts they are allowed to use. That doesn't help 
at all, because it makes detecting and blocking the bad stuff even 
harder (example: tunneling other HTTP methods through POST using a 
"method override" request header).

Best regards, Julian
Received on Sunday, 18 April 2010 16:56:39 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:13:07 UTC