On 14.04.2010 20:20, Tyler Close wrote:
On Wed, Apr 14, 2010 at 9:41 AM, Tyler Close<tyler.cl...@gmail.com> wrote:
I have been studying CORS ISSUE-90
<http://www.w3.org/2008/webapps/track/issues/90>, so as to bring UMP
into line with this part of CORS. I can't find any pattern or
rationale to the selection of headers on the whitelist versus those
not on the whitelist. Does anyone know where this list came from and
how it was produced?
If I produce a more comprehensive whitelist for UMP will CORS follow my lead?
The following whitelist includes all end-to-end response headers
defined by HTTP, unless there is a specific security risk:
# Age
# Allow
# Cache-Control
# Content-Disposition
# Content-Encoding
# Content-Language
# Content-Length
# Content-Location
# Content-MD5
# Content-Range
# Content-Type
# Date
# ETag
# Expires
# Last-Modified
# Location
# MIME-Version
# Pragma
# Retry-After
# Server
# Vary
# Warning
Does anyone object to making this the new whitelist for both CORS and UMP?
In general, whitelists are bad because they close extension points.
Please consider using a black list instead.
Best regards, Julian
