W3C home > Mailing lists > Public > public-appformats@w3.org > May 2007

Re: [AC] Access Control Algorithm

From: Jonas Sicking <jonas@sicking.cc>
Date: Wed, 02 May 2007 18:00:16 -0700
Message-ID: <46393420.2010307@sicking.cc>
To: Anne van Kesteren <annevk@opera.com>
CC: "WAF WG (public)" <public-appformats@w3.org>

Anne van Kesteren wrote:
> 
> On Thu, 26 Apr 2007 22:37:47 +0200, Jonas Sicking <jonas@sicking.cc> wrote:
>> I actually liked the idea of going through the clauses in the order 
>> they appear. It seems logical and easy for authors to follow that logic.
>>
>> However as I've been thinking about this I do think that "exclude" can 
>> be useful, at least for the processing instruction. One example I 
>> brought up was a server administrator inside a firewall wanting to 
>> block access to all files from servers outside the firewall. Such a 
>> header would likely look something like:
>>
>> deny <*> exclude <http://*.intranet.company.com> 
>> <https://*.intranet.company.com>
>>
>> This would then allow the page to explicitly define which sites would 
>> be able to access it, but would prevent the page from accidentally 
>> allow access from an external site.
> 
> The use case for introducing this in the HTTP header is quite clear. 
> What's the reason for having it in the processing instruction?

Yes, I agree, this is only needed by the HTTP header.

> Also, you want this in addition to the current mechanism, right?

See my latest proposal in my previous mail. Rather than having 'exclude' 
additions to both allow and deny, I think it'd be simpler to have a 
'default' rule as well. This rule wouldn't need to exist for the PI, 
though it might be nice to have it just for consistency, I don't really 
feel strongly either way.
Received on Thursday, 3 May 2007 01:02:46 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 8 January 2008 14:10:22 GMT