W3C home > Mailing lists > Public > public-appformats@w3.org > May 2007

Re: [AC] Access Control Algorithm

From: Anne van Kesteren <annevk@opera.com>
Date: Thu, 03 May 2007 14:34:41 +0200
To: "Jonas Sicking" <jonas@sicking.cc>, "WAF WG (public)" <public-appformats@w3.org>
Message-ID: <op.trq3v3fy64w2qv@id-c0020>

On Thu, 03 May 2007 13:24:01 +0200, Jonas Sicking <jonas@sicking.cc> wrote:
> I know, but I propose we change that since I think the current algorithm  
> is hard to easily see what results it produces, as you described in the  
> initial mail in this thread.

With the algorithm you are proposing now that is true as well, fwiw.  
Because even though it can say deny= in the processing instruction that  
isn't actually true for same-origin requests for instance. And for non  
same-origin requests the default is deny. Therefore the allow / exclude  
mechanism makes sense. It also cateters for:

   allow <*.example.org> exclude <*.public.example.org>
   allow <webmaster.public.example.org>

I'm not really convinced we should throw that away in favor of deny=.


>> Also, you still need to have allow and exclude for the processing  
>> instruction so supporting the same logic for the HTTP header makes more  
>> sense to me. Basically:
>>     rule ::= type (pattern)+ ("exclude" (pattern)+)?
>>    type ::= allow | deny
>
> My propsal was that we have "allow", "deny" and "default" for the HTTP  
> header and "allow" and "deny" for the PIs. The logic would be exactly  
> the same between them. We could even have "allow", "deny" and "default"  
> for the PIs and let the processing be exactly the same, the effect would  
> be that for PIs "deny" and "default" would have the same effect.


-- 
Anne van Kesteren
<http://annevankesteren.nl/>
<http://www.opera.com/>
Received on Thursday, 3 May 2007 12:35:19 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 8 January 2008 14:10:22 GMT