W3C home > Mailing lists > Public > public-appformats@w3.org > March 2007

[AC] Access Control Algorithm

From: Anne van Kesteren <annevk@opera.com>
Date: Tue, 27 Mar 2007 14:49:29 +0200
To: "WAF WG (public)" <public-appformats@w3.org>
Message-ID: <op.tpulwrjj64w2qv@id-c0020>


The current algorithm for access control is that a resource has an  
list two-tuples. Each two-tuple consits of one list with at least one item,
the allow list. And another list which may be empty, the exception list.  
a request is made to a resource to which the access control read policy
applies you go through each of the two-tuples and as soon as you reach one
where one of the items in the allow list matches with the request URL and  
exception list (in the same two-tuple) does not access is granted and the
access algorithm aborted. Otherwise access is denied.

This means for instance that a request from foo.bar.com would get access in
this case:

   [([*.bar.com], [foo.bar.com])
   ,([*.bar.com], [])]

The two-tuples are formed by HTTP Content-Access-Control header rules and
<?access-control?> processing instructions. Each of them creates one

The advantages of this proposal are that each header rule and each  
instruction contributes one item which is individually analyzed. It's not
really clear why this is needed or desirable though especially as it also
allows scenarios as pointed out above. The main problem with this approach  
that it's quite complex to grasp and so far nobody really got it I believe.

The other idea which was specified initially is that all rules specified by
HTTP headers and processing instructions are combined into two global  
One list of allow rules and one list of exceptions to those allow rules.  
latter could probably be called "deny" as it would be effectively the  

The algorithm for this would be that once both lists are constructed you  
match the request URL against the items in the allow list and if there's  
and there's no match in the exception / deny list you grant access.  
access is denied. (Assuming that the access control read policy is  
to the requested resource.

Personally I'm in favor of the second proposal as I think it addresses the
same usecases and has less surprises and complexity. It would be good if
authors and implementors commented on this approach.

If needed I'm willing to discuss this during the groups telcon if anybody  
some advantage in doing that.


Anne van Kesteren
Received on Tuesday, 27 March 2007 12:50:20 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:50:07 UTC