From memory, those whitelisted headers are headers that are legal to return in a response to a user.
I think the idea was to prevent the leaking of a header that we don't want to return. So, when we return
a v1 response to a user the set of 'x-image-meta-...' headers that is possible for the user to see is defined
by this whitelist. (There had been a bug where we were returning something the user shouldn't see as a
header).
From memory, those whitelisted headers are headers that are legal to return in a response to a user.
I think the idea was to prevent the leaking of a header that we don't want to return. So, when we return
a v1 response to a user the set of 'x-image-meta-...' headers that is possible for the user to see is defined
by this whitelist. (There had been a bug where we were returning something the user shouldn't see as a
header).