from Hacker News

Request for a new header: State-Of-The-Art

by jewbacca on 3/8/17, 8:44 AM with 12 comments

  • by icebraining on 3/9/17, 9:35 PM

    So you add this header. And then something new comes up. What then?

    If the same header automatically adds that meaning as well, your site can break essentially randomly, unless you keep tabs on the new stuff and adapt the site to handle them - in which case, you don't really need this header, you can just add the new stuff as it comes up.

    If the header is fixed in meaning ("best practices as of 03/2017"), then what value was really gained over simply copy-pasting a list of the recommended headers as of that date?

    It just seems like it's either mostly useless, or too dangerous to use.

  • by forgottenpass on 3/9/17, 9:33 PM

    I can't tell if this is serious or satire.

  • by ctcherry on 3/9/17, 11:44 PM

    Relevant XKCD, Standards: https://xkcd.com/927/

  • by hinkley on 3/10/17, 2:18 AM

    Response header size notwithstanding, isn't this really a problem of app servers having really shitty default headers?

    You make people turn off safety features manually and the rest of us are fine.

  • by beaconstudios on 3/10/17, 2:18 PM

    > Allows CORS from any domain with any headers without OPTIONS preflights.

    That'd be a great way to make CSRF attacks from any domain a default setting.

  • by YuriNiyazov on 3/9/17, 9:38 PM

    And then we will have compatibility tests for browsers that implement how they read SOTA differently. Yuck