- From: Vladimir Dzhuvinov <vladimir@dzhuvinov.com>
- Date: Sat, 04 May 2013 10:45:19 +0300
- To: public-webappsec@w3.org
Hi guys, I maintain the CORS filter for Java servlet apps [1]. The default configuration of the filter has been to deny all author request headers [2]. Developers can allow selected headers by explicitly listing their names in the filter configuration. The other day I received a suggestion to add a special keyword to denote any header and to make this the new default policy of the CORS filter (allow any author request header). I wish to hear your oppinion guys on the security implications of that. Thanks, Vladimir [1] http://software.dzhuvinov.com/cors-filter.html [2] http://software.dzhuvinov.com/cors-filter-configuration.html#cors.supportedHeaders -- Vladimir Dzhuvinov <vladimir@dzhuvinov.com>
Received on Saturday, 4 May 2013 07:52:51 UTC