Re: CORS Last Call status/plans? [Was: Re: [UMP] Request for Last Call]

On 19.04.2010 09:41, Maciej Stachowiak wrote:
> ...
>> This obviously would be impossible if another layer (say proxies)
>> would already block that.
>
> It wouldn't be impossible, it just wouldn't have the desired end-to-end
> effect. But proxies are already not allowed to remove random response
> headers.
> ...

Whatever the rule is for proxies should be the rule for a software layer 
as well. What's relevant is the impact on the application.

>> Don't do to others what you don't want to be done to yourself.
>>
>> Blacklist things when there is a problem.
>
> I think a whitelist with opt-in exceptions strikes the right balance
> between security and extensibility. You haven't provided any reasons why
> that's not good enough.

I already did. If multiple layers blocked unknown response headers, and 
each needed a separate way to opt them back in, we'd be in trouble.

Best regards, Julian

Received on Monday, 19 April 2010 07:50:06 UTC