Re: [ac] wildcard rules and subdomains from Mark Nottingham on 2007-07-04 (public-appformats@w3.org from July 2007)

From: Mark Nottingham <mnot@yahoo-inc.com>
Date: Wed, 4 Jul 2007 11:58:55 +1000
To: Jonas Sicking <jonas@sicking.cc>
Cc: "WAF WG (public)" <public-appformats@w3.org>
Message-Id: <B5FF5FBE-3BCE-4B05-A1FA-42E86889A3F6@yahoo-inc.com>

IIRC (and I could be remembering wrongly), it was done this way to  
align with how p3p.xml, etc. work, so there wouldn't be multiple,  
almost-the-same-but-conflicting standards out there.

Cheers,


On 2007/07/04, at 10:35 AM, Jonas Sicking wrote:

>
> Hi All,
>
> Currently the spec says that a rule like "*.example.com" does not  
> match a request from example.com. The result is that if you want to  
> give access to anything coming from example.com, including any  
> subdomains, you'll have to write a rule like:
>
> Content-Access-Control: allow <*.example.com>, <example.com>
>
> And similarly, if you want to deny requests from evil.com you have  
> to do:
>
> Content-Access-Control: deny <*.evil.com>, <evil.com>
>
> I think it would be better if *.example.com also matched example.com.
>
> Pros:
> In many cases you can write simpler rules since I'd imagine it's  
> more likely that you want to deny or grant access to both a domain  
> and its subdomains, than that you just want one of the two.
>
> There's no longer a risk that someone will think that *.example.com  
> does match example.com.
>
> Cons:
> There's a risk that someone will think that *.example.com does not  
> match example.com.
>
> I actually think that the consequences of misunderstanding is  
> smaller in the latter case. Lets example the possible  
> misunderstandings under the two algorithms:
>
>
> == Current algorithm, *.example.com does not match example.com ==
> Author uses the rule
> Content-Access-Control: allow <*.example.com>
> and thinks this grants access to example.com
>
> The consequences aren't very bad, the only thing that will happen  
> is that when the site example.com is used things will not work.  
> This is easily detectable and fixed
>
> Author uses the rule
> Content-Access-Control: deny <*.example.com>
> and thinks this denies access to example.com
>
> The consequences are bad. Access is not denied to example.com even  
> though that was intended.
>
> == Proposed algorithm, *.example.com does match example.com ==
> Author uses the rule
> Content-Access-Control: allow <*.example.com>
> and thinks this does not grant access to example.com
>
> The consequences are somewhat bad, access is granted to example.com  
> even though that was not intended. However, it is likely that  
> however runs example.com could simply set up foo.example.com and  
> use that to get access. In general I can't think of a real-world  
> example where you'd trust the subdomains of a site, but not the top  
> domain.
>
> Author uses the rule
> Content-Access-Control: deny <*.example.com>
> and thinks this does not deny access to example.com
>
> The consequences aren't very bad, the only thing that will happen  
> is that when the site example.com is used things will not work.  
> This is easily detectable and fixed.
>
> / Jonas
>

--
Mark Nottingham       mnot@yahoo-inc.com

Received on Wednesday, 4 July 2007 01:59:17 UTC