- From: Anne van Kesteren <annevk@opera.com>
- Date: Wed, 25 Apr 2007 11:03:01 +0200
- To: "Jonas Sicking" <jonas@sicking.cc>
- Cc: "WAF WG (public)" <public-appformats@w3.org>
On Tue, 24 Apr 2007 21:12:35 +0200, Jonas Sicking <jonas@sicking.cc> wrote:
> One thing that is very important IMHO is that it is possible using
> headers to turn off access to a whole server. One usecase for this would
> be if a site notices some files are missconfigured and as immediate
> security precaution disables access to all files while figuring out what
> is wrong.
> Another scenario would be a hosting server such as livejournal or
> geocities wanting to disable access to all their hosted files even
> though other users manage the contents of those files.
How about changing:
rule ::= "allow" (pattern)+ ("exclude" (pattern)+)?
To:
rule ::= deny | allow
deny ::= "deny" (pattern)+
allow ::= "allow" (pattern)+ ("exclude" (pattern)+)?
And then letting the algorithm in section 3 first seek through all
explicit deny clauses.
--
Anne van Kesteren
<http://annevankesteren.nl/>
<http://www.opera.com/>
Received on Wednesday, 25 April 2007 09:03:09 UTC