Re: CORS Last Call status/plans? [Was: Re: [UMP] Request for Last Call]

On Apr 18, 2010, at 9:56 AM, Julian Reschke wrote:

> On 18.04.2010 14:35, Ben Laurie wrote:
>>    In general, whitelists are bad because they close extension  
>> points.
>>    Please consider using a black list instead.
>> In general, blacklists are bad because they open security holes.
> My experience is that people work around white lists by tunneling  
> information through the parts they are allowed to use. That doesn't  
> help at all, because it makes detecting and blocking the bad stuff  
> even harder (example: tunneling other HTTP methods through POST  
> using a "method override" request header).

The security concern would be about accidental exposure, not  
deliberate tunneling of additional info. It's fine for two cooperating  
parties to send each other more information on purpose.


Received on Monday, 19 April 2010 07:27:53 UTC