It says Authorization, but this is really more of an anti-CSRF token, not an actual authorization credential, and anti-CSRF tokens are completely legitimate to return over an unauthenticated HTTP endpoint.
I think it depends mostly on the context. If you only want to allow a known subset of items, prefer a whitelist. If you want to avoid a subset of items, prefer a blacklist.
Yeah, but the hard-earned wisdom the parent post is trying to impart is that if you think you want to avoid a subset of items, you're probably wrong.
In an explicitly enumerated category, blacklists and whitelists are logically equivalent and can be used interchangeably. In almost every other case blacklists are insufficient because new items can generally be created, either maliciously or just accidentally as the size of the category grows, which are not on the blacklist but which share whatever bad trait you were hoping to protect against.
I'm sure there are a few exceptions, but generally speaking any problem that can be solved with either a blacklist or a whitelist should use the whitelist, just to be safe. A problem that can't use a whitelist is probably not actually solvable by a blacklist either, and trying to use one is likely to fail in the long run.
My personal heuristic is to always favor the positive collection, which comes from databases where retrieving a set of data is much easier and more efficient than retrieving a set of data EXCEPT THESE. I always figured there was math to back this up.
That's literally just the definition of a whitelist and a blacklist. I think the comment you were replying to was making the point that blacklists generally work poorly in practice and should be reconsidered where at all possible.
Its not a whitelist of domains, but of applications allowed to use the agent. Right now Blizzard is blacklisting only the browsers from using it, but that still leaves a bunch of other things like slack and whatnot.
Its indeed a very strange patch from Blizzard. As if they hastily assigned an intern to it and then called it a day.
A blacklist won't allow items that match and a whitelist only allows items that match. Blacklists include by default and whitelists exclude by default.
Since the regex needs to match to be included - it is, by definition, a whitelist. It excludes by default anything that doesn't match. It just so happens the net being cast is so wide as to be "all except ____" where a whitelist is usually seen as "none except ____".
Think of it as shorthand for a list that expands to be infinitely large. [0]
People would consider a blacklist that includes ` * .example.com` to be a list that contains all potential subdomains of `example.com`. With ` * ` being seen as shorthand.
E: Spaces around the asterisk added to avoid HN formatting.
[0] Technical limitations aside, especially in the context of URL matching since URLs have a maximum character length.
If it's not a joke, it's at least an exercise in absurdity.
I wrote a regex that would allow things that aren't facebook, and then you said "No, you're not allowing things that aren't facebook, you're not allowing things that don't match not being facebook".
If it's not a white-list, it's at least an opposite-of-black-list.
If you think you need a blacklist you should probably be using a whitelist. If your problem can't be solved with a whitelist then it's probably better solved in a way that doesn't involve a blacklist or a whitelist.