W3C home > Mailing lists > Public > public-appformats@w3.org > June 2007

Re: [access-control] update from the editor

From: Anne van Kesteren <annevk@opera.com>
Date: Wed, 13 Jun 2007 11:19:53 +0200
To: "Jonas Sicking" <jonas@sicking.cc>
Cc: "WAF WG (public)" <public-appformats@w3.org>
Message-ID: <op.ttur7fj064w2qv@annevk-t60.oslo.opera.com>

On Thu, 07 Jun 2007 01:13:40 +0200, Jonas Sicking <jonas@sicking.cc> wrote:
>>  * What happens when the XML is not well-formed and how does this
>>    interact with incremental parsing.
>
> This one is tricky for sure. IMHO we can't require that AC checks fail
> if the document fails to fully parse. In my implementation I plan to
> stop parsing once I hit the first start tag and if access hasn't been
> granted yet at that point abort. I don't want, for security reasons, to
> create any DOM nodes at all if access is denied, so it's not an option
> to create a full DOM and then do access checks.

This is now clarified by the specification. It specifies what you suggest.


> I also thought of a pretty important use-case that requires "deny" in
> the PIs. If the server sets an allow header, but you want to put a file
> on that server that you *don't* want people from other servers to have
> access to, you need to be able to specify that directly in the file. It
> is not enough to simply not put any AC PIs in the file since then the
> servers 'accept' will be used.

You could use

   <?access-control allow="*" exclude="*"?>

However, I added <?access-control deny=...?> for now.


-- 
Anne van Kesteren
<http://annevankesteren.nl/>
<http://www.opera.com/>
Received on Wednesday, 13 June 2007 09:20:09 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 8 January 2008 14:10:22 GMT