The initial audit of this was in bug 1109938. See also the Audit notes for it in our internal wiki. A quick survey of the current situation should be enough to adjust this whitelisting.