On Wed, Apr 14, 2010 at 9:41 AM, Tyler Close <tyler.cl...@gmail.com> wrote: > I have been studying CORS ISSUE-90 > <http://www.w3.org/2008/webapps/track/issues/90>, so as to bring UMP > into line with this part of CORS. I can't find any pattern or > rationale to the selection of headers on the whitelist versus those > not on the whitelist. Does anyone know where this list came from and > how it was produced? > > If I produce a more comprehensive whitelist for UMP will CORS follow my lead?
The following whitelist includes all end-to-end response headers defined by HTTP, unless there is a specific security risk: # Age # Allow # Cache-Control # Content-Disposition # Content-Encoding # Content-Language # Content-Length # Content-Location # Content-MD5 # Content-Range # Content-Type # Date # ETag # Expires # Last-Modified # Location # MIME-Version # Pragma # Retry-After # Server # Vary # Warning Does anyone object to making this the new whitelist for both CORS and UMP? --Tyler