- From: Julian Reschke <julian.reschke@gmx.de>
- Date: Mon, 19 Apr 2010 09:49:12 +0200
- To: Maciej Stachowiak <mjs@apple.com>
- CC: Ben Laurie <benl@google.com>, Tyler Close <tyler.close@gmail.com>, Arthur Barstow <Art.Barstow@nokia.com>, ext Anne van Kesteren <annevk@opera.com>, public-webapps <public-webapps@w3.org>
On 19.04.2010 09:41, Maciej Stachowiak wrote: > ... >> This obviously would be impossible if another layer (say proxies) >> would already block that. > > It wouldn't be impossible, it just wouldn't have the desired end-to-end > effect. But proxies are already not allowed to remove random response > headers. > ... Whatever the rule is for proxies should be the rule for a software layer as well. What's relevant is the impact on the application. >> Don't do to others what you don't want to be done to yourself. >> >> Blacklist things when there is a problem. > > I think a whitelist with opt-in exceptions strikes the right balance > between security and extensibility. You haven't provided any reasons why > that's not good enough. I already did. If multiple layers blocked unknown response headers, and each needed a separate way to opt them back in, we'd be in trouble. Best regards, Julian
Received on Monday, 19 April 2010 07:50:06 UTC