W3C home > Mailing lists > Public > public-appformats@w3.org > July 2007

Re: [ac] wildcard rules and subdomains

From: Jonas Sicking <jonas@sicking.cc>
Date: Fri, 06 Jul 2007 17:18:11 -0700
Message-ID: <468EDBC3.8080801@sicking.cc>
To: Thomas Roessler <tlr@w3.org>, "WAF WG (public)" <public-appformats@w3.org>

Thomas Roessler wrote:
> On 2007-07-05 15:16:34 -0700, Jonas Sicking wrote:
> 
>> An alternative solution is to remove the wildcard syntax
>> entierly, and say that it's implicitly always there. So
> 
>> Content-Access-Control: deny <evil.com>, allow <good.com>
> 
>> denies evil.com together with subdomains, while allowing good.com
>> together with subdomains.
> 
> To be clear, I don't object against that particular wildcard syntax.
> However, part of this discussion is likely moot given the thread
> that Rhys (rightly) opened up with respect to the interaction with
> POWDER.

 From what I understood POWDER is changing their syntax so I think we 
could take a lead here and hopefully they will follow us.

> On 2007-07-06 10:23:10 -0700, Jonas Sicking wrote:
> 
>> sigh, keeping saying that without coming up with an alternative
>> seems very unproductive.
> 
> I agree that we seem not to be making much progress on the "deny"
> issue on the mailing list.
> 
> To summarize, the concerns are:
> 
> - "deny" lets people express policies that might not be enforced
>   since semantics are expressed in terms of adding to the list of
>   sites for which access is permissible.

This is true for the 'exclude' syntax too. The rule

Content-Access-Control: allow <*.foo.com> exclude <evil.foo.com>

will in fact allow pages from evil.foo.com to access this resource if 
the resource is located at evil.foo.com.

Note that even for deny the only time it doesn't do what you might 
expect it to is if you're explicitly denying the server where the 
resource is located.

> The one use case that we have for the "deny" statement so far is
> configuring web servers on which somebody might have put erroneous
> "allow" authorizations, in case there is a practical attack going
> on.  I agree that it's a valid concern, but I disagree that it
> should lead to a change to the language.

The other use case if your putting a resource on a server that grants 
access, but you don't want your particular resource to be accessible 
cross domain.

> Therefore, I'm essentially proposing that we do not treat this use
> case.
> 
> This is ultimately a question that the two of us won't solve by
> running our heads against each other, either in e-mail or on the
> phone.  I'd therefore (as I said before) like to hear the opinions
> that others hold on this question.

Agreed. I should note that this use case was one that was brought up 
during our security review of access-control at mozilla, and one that we 
felt needed to be addressed. So it's not just me personally that feel 
this way.

/ Jonas
Received on Saturday, 7 July 2007 00:18:29 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:50:07 UTC