On 18 April 2010 07:48, Julian Reschke <julian.resc...@gmx.de> wrote:
> On 14.04.2010 20:20, Tyler Close wrote: > >> On Wed, Apr 14, 2010 at 9:41 AM, Tyler Close<tyler.cl...@gmail.com> >> wrote: >> >>> I have been studying CORS ISSUE-90 >>> <http://www.w3.org/2008/webapps/track/issues/90>, so as to bring UMP >>> into line with this part of CORS. I can't find any pattern or >>> rationale to the selection of headers on the whitelist versus those >>> not on the whitelist. Does anyone know where this list came from and >>> how it was produced? >>> >>> If I produce a more comprehensive whitelist for UMP will CORS follow my >>> lead? >>> >> >> The following whitelist includes all end-to-end response headers >> defined by HTTP, unless there is a specific security risk: >> >> # Age >> # Allow >> # Cache-Control >> # Content-Disposition >> # Content-Encoding >> # Content-Language >> # Content-Length >> # Content-Location >> # Content-MD5 >> # Content-Range >> # Content-Type >> # Date >> # ETag >> # Expires >> # Last-Modified >> # Location >> # MIME-Version >> # Pragma >> # Retry-After >> # Server >> # Vary >> # Warning >> >> Does anyone object to making this the new whitelist for both CORS and UMP? >> > > In general, whitelists are bad because they close extension points. Please > consider using a black list instead. > In general, blacklists are bad because they open security holes.
