W3C home > Mailing lists > Public > public-webappsec@w3.org > May 2013

Allowing any author request header in CORS

From: Vladimir Dzhuvinov <vladimir@dzhuvinov.com>
Date: Sat, 04 May 2013 10:45:19 +0300
Message-ID: <1367653519.2100.14.camel@shakespeare>
To: public-webappsec@w3.org
Hi guys,

I maintain the CORS filter for Java servlet apps [1].

The default configuration of the filter has been to deny all author
request headers [2]. Developers can allow selected headers by explicitly
listing their names in the filter configuration.

The other day I received a suggestion to add a special keyword to denote
any header and to make this the new default policy of the CORS filter
(allow any author request header). I wish to hear your oppinion guys on
the security implications of that.

Thanks,

Vladimir

[1] http://software.dzhuvinov.com/cors-filter.html
[2]
http://software.dzhuvinov.com/cors-filter-configuration.html#cors.supportedHeaders


-- 
Vladimir Dzhuvinov <vladimir@dzhuvinov.com>
Received on Saturday, 4 May 2013 07:52:51 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:01 UTC