- From: Thomas Roessler <tlr@w3.org>
- Date: Wed, 7 Feb 2007 20:32:16 +0100
- To: Anne van Kesteren <annevk@opera.com>
- Cc: Brad Porter <brad@tellme.com>, "WAF WG (public)" <public-appformats@w3.org>, access-control tf <member-accesscontrol-tf@w3.org>
On 2007-02-07 15:20:09 +0100, Anne van Kesteren wrote: > You mean you want: > > <?access-control > accept="http://*.example.org" > except="*"?> > > <?access-control > accept="http://foo.example.org" > except="http://bar.example.org"?> > > to be different from: > > <?access-control > accept="http://*.example.org http://foo.example.org" > except="* http://bar.example.org"?> > > or something? Yes. Here's a slightly pathologic example that might make the difference clear: allow http://*.org/ except http://www.*/ allow http://www.example.org/ In this example, www.example.org is actually permissible, according to the scheme that I had proposed. (Actually, I'm having second thoughts about the matching of a wildcard-label. Should that only match one label or possibly an entire subdomain? Something's fishy there.) The idea that I had proposed was the following: For each allow clause, there's a corresponding list of except clauses. The HTTP header BNF in the current draft actually reflects that idea: rule ::= "allow" 1*( SP pattern ) [ SP "except" 1* (SP pattern) ] ruleset ::= 1#( rule ) The evaluation algorithm then becomes something like this (excuse my pseudo-perl): for rule in ruleset if ac_match (rule.allow, req_url) allow = True for exception in rule.exceptions if ac_match (exception, req_url) allow = False if (allow) return "grant access" This approach keeps the except clauses pretty local, makes the entire thing easier to read, and makes it possible to evaluate against one HTTP header at a time. I'll leave a translation into processing instructions to you. -- Thomas Roessler, W3C <tlr@w3.org>
Received on Wednesday, 7 February 2007 19:30:57 UTC