- From: Thomas Roessler <tlr@w3.org>
- Date: Tue, 27 Mar 2007 15:24:23 +0200
- To: Anne van Kesteren <annevk@opera.com>
- Cc: "WAF WG (public)" <public-appformats@w3.org>
On 2007-03-27 14:53:49 +0200, Anne van Kesteren wrote: > The advantages of this proposal are that each header rule and > each processing instruction contributes one item which is > individually analyzed. It's not really clear why this is needed > or desirable though especially as it also allows scenarios as > pointed out above. The main problem with this approach is that > it's quite complex to grasp What's complex about it again? > The other idea which was specified initially is that all rules > specified by HTTP headers and processing instructions are > combined into two global lists. One list of allow rules and one > list of exceptions to those allow rules. (The latter could > probably be called "deny" as it would be effectively the same.) > The algorithm for this would be that once both lists are > constructed you first match the request URL against the items in > the allow list and if there's match and there's no match in the > exception / deny list you grant access. Otherwise access is > denied. (Assuming that the access control read policy is > applicable to the requested resource. So this is equivalent to the one-pair special case of the first proposal, right? -- Thomas Roessler, W3C <tlr@w3.org>
Received on Tuesday, 27 March 2007 13:24:38 UTC