W3C home > Mailing lists > Public > public-appformats@w3.org > May 2007

Re: [AC] Access Control Algorithm

From: Jonas Sicking <jonas@sicking.cc>
Date: Thu, 03 May 2007 04:24:01 -0700
Message-ID: <4639C651.1050203@sicking.cc>
To: Anne van Kesteren <annevk@opera.com>, "WAF WG (public)" <public-appformats@w3.org>

Anne van Kesteren wrote:
> On Thu, 03 May 2007 03:00:16 +0200, Jonas Sicking <jonas@sicking.cc> wrote:
>>> Also, you want this in addition to the current mechanism, right?
>>
>> See my latest proposal in my previous mail. Rather than having 
>> 'exclude' additions to both allow and deny, I think it'd be simpler to 
>> have a 'default' rule as well. This rule wouldn't need to exist for 
>> the PI, though it might be nice to have it just for consistency, I 
>> don't really feel strongly either way.
> 
> I missed that. The current mechanism is actually defined in such a way 
> that order is not important. I'm not sure what the affect of changing 
> that would be.

I know, but I propose we change that since I think the current algorithm 
is hard to easily see what results it produces, as you described in the 
initial mail in this thread.

> Also, you still need to have allow and exclude for the 
> processing instruction so supporting the same logic for the HTTP header 
> makes more sense to me. Basically:
> 
>    rule ::= type (pattern)+ ("exclude" (pattern)+)?
>    type ::= allow | deny

My propsal was that we have "allow", "deny" and "default" for the HTTP 
header and "allow" and "deny" for the PIs. The logic would be exactly 
the same between them. We could even have "allow", "deny" and "default" 
for the PIs and let the processing be exactly the same, the effect would 
be that for PIs "deny" and "default" would have the same effect.

/ Jonas
Received on Thursday, 3 May 2007 11:24:05 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 8 January 2008 14:10:22 GMT