Allowing any author request header in CORS from Vladimir Dzhuvinov on 2013-05-04 (public-webappsec@w3.org from May 2013)

From: Vladimir Dzhuvinov <vladimir@dzhuvinov.com>
Date: Sat, 04 May 2013 10:45:19 +0300
To: public-webappsec@w3.org
Message-ID: <1367653519.2100.14.camel@shakespeare>

Hi guys,

I maintain the CORS filter for Java servlet apps [1].

The default configuration of the filter has been to deny all author
request headers [2]. Developers can allow selected headers by explicitly
listing their names in the filter configuration.

The other day I received a suggestion to add a special keyword to denote
any header and to make this the new default policy of the CORS filter
(allow any author request header). I wish to hear your oppinion guys on
the security implications of that.

Thanks,

Vladimir

[1] http://software.dzhuvinov.com/cors-filter.html
[2]
http://software.dzhuvinov.com/cors-filter-configuration.html#cors.supportedHeaders


-- 
Vladimir Dzhuvinov <vladimir@dzhuvinov.com>

Received on Saturday, 4 May 2013 07:52:51 UTC