- From: Jonas Sicking <jonas@sicking.cc>
- Date: Thu, 26 Apr 2007 13:37:47 -0700
- To: Anne van Kesteren <annevk@opera.com>, "WAF WG (public)" <public-appformats@w3.org>
Anne van Kesteren wrote:
> On Tue, 24 Apr 2007 21:12:35 +0200, Jonas Sicking <jonas@sicking.cc> wrote:
>> One thing that is very important IMHO is that it is possible using
>> headers to turn off access to a whole server. One usecase for this would
>> be if a site notices some files are missconfigured and as immediate
>> security precaution disables access to all files while figuring out what
>> is wrong.
>> Another scenario would be a hosting server such as livejournal or
>> geocities wanting to disable access to all their hosted files even
>> though other users manage the contents of those files.
>
> How about changing:
>
> rule ::= "allow" (pattern)+ ("exclude" (pattern)+)?
>
> To:
>
> rule ::= deny | allow
> deny ::= "deny" (pattern)+
> allow ::= "allow" (pattern)+ ("exclude" (pattern)+)?
>
> And then letting the algorithm in section 3 first seek through all
> explicit deny clauses.
I actually liked the idea of going through the clauses in the order they
appear. It seems logical and easy for authors to follow that logic.
However as I've been thinking about this I do think that "exclude" can
be useful, at least for the processing instruction. One example I
brought up was a server administrator inside a firewall wanting to block
access to all files from servers outside the firewall. Such a header
would likely look something like:
deny <*> exclude <http://*.intranet.company.com>
<https://*.intranet.company.com>
This would then allow the page to explicitly define which sites would be
able to access it, but would prevent the page from accidentally allow
access from an external site.
/ Jonas
Received on Thursday, 26 April 2007 20:37:57 UTC