W3C home > Mailing lists > Public > public-appformats@w3.org > April 2007

Re: [AC] Access Control Algorithm

From: Anne van Kesteren <annevk@opera.com>
Date: Wed, 25 Apr 2007 11:03:01 +0200
To: "Jonas Sicking" <jonas@sicking.cc>
Cc: "WAF WG (public)" <public-appformats@w3.org>
Message-ID: <op.trb0rbsz64w2qv@id-c0020>

On Tue, 24 Apr 2007 21:12:35 +0200, Jonas Sicking <jonas@sicking.cc> wrote:
> One thing that is very important IMHO is that it is possible using
> headers to turn off access to a whole server. One usecase for this would
> be if a site notices some files are missconfigured and as immediate
> security precaution disables access to all files while figuring out what
> is wrong.
> Another scenario would be a hosting server such as livejournal or
> geocities wanting to disable access to all their hosted files even
> though other users manage the contents of those files.

How about changing:

   rule ::= "allow" (pattern)+ ("exclude" (pattern)+)?

To:

   rule  ::= deny | allow
   deny  ::= "deny" (pattern)+
   allow ::= "allow" (pattern)+ ("exclude" (pattern)+)?

And then letting the algorithm in section 3 first seek through all  
explicit deny clauses.


-- 
Anne van Kesteren
<http://annevankesteren.nl/>
<http://www.opera.com/>
Received on Wednesday, 25 April 2007 09:03:09 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 8 January 2008 14:10:22 GMT