Re: CORS Last Call status/plans? [Was: Re: [UMP] Request for Last Call]

On Mon, Apr 19, 2010 at 1:11 AM, Julian Reschke <julian.reschke@gmx.de> wrote:
> On 19.04.2010 10:03, Maciej Stachowiak wrote:
>>
>> ...
>>>
>>> I already did. If multiple layers blocked unknown response headers,
>>> and each needed a separate way to opt them back in, we'd be in trouble.
>>
>> But that's not the case here. The blocking is solely at the API surface.
>> No one is suggesting that proxies should block unknown response headers.
>> ...
>
> For the application, it's totally irrelevant who's blocking the header. If
> it's blocked, it can't be used, and people *will* come up with ugly
> workarounds which are likely to cause even more problems in the future.

Unfortunately a blacklist approach is simply not safe enough. Fixing
security problems as they come up is not good enough as the turnaround
time is much too slow.

/ Jonas

Received on Monday, 19 April 2010 15:45:10 UTC