- From: Jonas Sicking <jonas@sicking.cc>
- Date: Mon, 19 Apr 2010 08:44:15 -0700
- To: Julian Reschke <julian.reschke@gmx.de>
- Cc: Maciej Stachowiak <mjs@apple.com>, Ben Laurie <benl@google.com>, Tyler Close <tyler.close@gmail.com>, Arthur Barstow <Art.Barstow@nokia.com>, ext Anne van Kesteren <annevk@opera.com>, public-webapps <public-webapps@w3.org>
On Mon, Apr 19, 2010 at 1:11 AM, Julian Reschke <julian.reschke@gmx.de> wrote: > On 19.04.2010 10:03, Maciej Stachowiak wrote: >> >> ... >>> >>> I already did. If multiple layers blocked unknown response headers, >>> and each needed a separate way to opt them back in, we'd be in trouble. >> >> But that's not the case here. The blocking is solely at the API surface. >> No one is suggesting that proxies should block unknown response headers. >> ... > > For the application, it's totally irrelevant who's blocking the header. If > it's blocked, it can't be used, and people *will* come up with ugly > workarounds which are likely to cause even more problems in the future. Unfortunately a blacklist approach is simply not safe enough. Fixing security problems as they come up is not good enough as the turnaround time is much too slow. / Jonas
Received on Monday, 19 April 2010 15:45:10 UTC