W3C home > Mailing lists > Public > public-appformats@w3.org > April 2007

Re: [AC] Access Control Algorithm

From: Jonas Sicking <jonas@sicking.cc>
Date: Thu, 26 Apr 2007 13:37:47 -0700
Message-ID: <46310D9B.6070308@sicking.cc>
To: Anne van Kesteren <annevk@opera.com>, "WAF WG (public)" <public-appformats@w3.org>

Anne van Kesteren wrote:
> On Tue, 24 Apr 2007 21:12:35 +0200, Jonas Sicking <jonas@sicking.cc> wrote:
>> One thing that is very important IMHO is that it is possible using
>> headers to turn off access to a whole server. One usecase for this would
>> be if a site notices some files are missconfigured and as immediate
>> security precaution disables access to all files while figuring out what
>> is wrong.
>> Another scenario would be a hosting server such as livejournal or
>> geocities wanting to disable access to all their hosted files even
>> though other users manage the contents of those files.
> 
> How about changing:
> 
>   rule ::= "allow" (pattern)+ ("exclude" (pattern)+)?
> 
> To:
> 
>   rule  ::= deny | allow
>   deny  ::= "deny" (pattern)+
>   allow ::= "allow" (pattern)+ ("exclude" (pattern)+)?
> 
> And then letting the algorithm in section 3 first seek through all 
> explicit deny clauses.

I actually liked the idea of going through the clauses in the order they 
appear. It seems logical and easy for authors to follow that logic.

However as I've been thinking about this I do think that "exclude" can 
be useful, at least for the processing instruction. One example I 
brought up was a server administrator inside a firewall wanting to block 
access to all files from servers outside the firewall. Such a header 
would likely look something like:

deny <*> exclude <http://*.intranet.company.com> 
<https://*.intranet.company.com>

This would then allow the page to explicitly define which sites would be 
able to access it, but would prevent the page from accidentally allow 
access from an external site.

/ Jonas
Received on Thursday, 26 April 2007 20:37:57 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 8 January 2008 14:10:22 GMT