On Thu, Aug 11, 2016 at 4:04 PM, Jim Jagielski <j...@jagunet.com> wrote: >> It seems that the two need some potentially different >> rulesets. If you are running a forward proxy, you would want to be quite >> strict about the responses. If you are only a gateway of trusted backend >> servers and apps, you might want to be more tolerant (although Roy and >> Jim may disagree with me on this.)
Devils advocate: Trusted backend + spectre of xss could put you right back in strict mindset.