On 19.04.2010 20:30, Tyler Close wrote:
...
Again: did you check all the headers in the permanent registry? If you did,
why are the ones (which are just examples) missing? And what's the reason to
default to strip general headers and response headers?
Again, the model is to define a minimal whitelist and enable servers
to explicitly extend the minimal whitelist. The default members of the
whitelist only exist as a convenience, so that servers don't have to
explicitly list them on every response.
Also, asking a static specification to keep up with a mutable registry
is not feasible.
...
Yes. That's exactly the reason why a whitelist is wrong choice.
Best regards, Julian
