W3C home > Mailing lists > Public > public-appformats@w3.org > August 2006

Access Control HTTP header proposal

From: Dean Jackson <dino@w3.org>
Date: Wed, 30 Aug 2006 18:59:05 +1000
Message-Id: <FDE47C6E-4CA4-4BC6-A9A6-9DFA1C71145D@w3.org>
To: public-appformats@w3.org

Here is a proposal for an Access Control HTTP header. The
idea is that it does everything the XML PI can, but without
needing to modify the source content.

Dean

Access-Control HTTP Header
==========================

Any document retrieved via HTTP MAY have access control rules
defined in the HTTP header.

--------------------------------------------------------------

Access-Control      = "Access-Control" ":"
                       1#access-control-rule

access-control-rule = instruction SP "<" uripattern ">"

instruction         = "allow" / "deny" / token

uripattern          ; URI from RFC3986, replacing
                     ; reg-name with wildcard-reg-name

wildcard-reg-name   = *( unreserved | pct-encoded |
                          sub-delims | "{*}" )

--------------------------------------------------------------

NOTE: The header name may change in future drafts.

NOTE: Should extension instructions be allowed? Should they
be ignored? eg. Ignoring allow-on-tuesday doesn't weaken
the security policy but ignoring deny-on-tuesday will.

Both the header field name and value are case-insensitive.

If the keyword "allow" is the instruction then the URI patterns
for that header are added to the allow ruleset. If the keyword
"deny" is the instruction then the URI patterns for that header
are added to the deny ruleset.

As required by RFC2616, multiple Access-Control headers are
combined in the order in which they are received. For example,
the following two HTTP responses and XML Processing Instruction
generate the same ruleset.

-------------------------------------------------------------
HTTP/1.1 200 OK
Date: Wed, 23 Aug 2006 09:31:41 GMT
Server: Apache/1.3.37 (Unix)
Content-Length: 32924
Content-Type: text/html; charset=utf-8
Access-Control: allow http://good.example.com, allow http:// 
nice.example.com
Access-Control: allow http://friendly.example.com, deny http:// 
*.example.com

HTTP/1.1 200 OK
Date: Wed, 23 Aug 2006 09:31:41 GMT
Server: Apache/1.3.37 (Unix)
Content-Length: 32924
Content-Type: text/html; charset=utf-8
Access-Control: allow http://good.example.com, allow http:// 
nice.example.com, allow http://friendly.example.com, deny http:// 
*.example.com

<?access-control allow="http://good.example.com
                         http://friendly.example.com
                         http://nice.example.com"
                  deny="http://*.example.com"?>
-------------------------------------------------------------

An Access-Control header is in error if the value has incorrect
syntax, that is if either the instruction or any uripattern is
malformed. If any Access-Control header is in error then the User
Agent should ignore all Access-Control headers and use its
default security policy.
Received on Wednesday, 30 August 2006 08:59:31 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 8 January 2008 14:10:20 GMT