W3C home > Mailing lists > Public > public-appformats@w3.org > May 2007

Re: [AC] Access Control Algorithm

From: Jonas Sicking <jonas@sicking.cc>
Date: Mon, 07 May 2007 10:18:30 -0700
Message-ID: <463F5F66.4080700@sicking.cc>
To: Anne van Kesteren <annevk@opera.com>
Cc: "WAF WG (public)" <public-appformats@w3.org>

Anne van Kesteren wrote:
>> Have "allow", "deny" and "default". There is no "exclude". Order is 
>> important. If headers say "deny" then immediately deny. If headers say 
>> "allow" or "default" check with PIs. If PIs say "deny" deny. If PIs 
>> say "allow" allow. If PIs say nothing and headers said "allow" allow. 
>> Otherwise deny.
>>
>> If we allow "default" in PIs or not doesn't really matter to me. In 
>> the end they are useless, but it would be consistent.
> 
> So what would happen for:
> 
>   Content-Access-Control: allow <*.bar.com>, deny <*.bar.com>
> 
> You seemed to imply that ordering was important, but I wonder if that's 
> intuitive.

Yes, in my proposed algorithm that would indicate 'allow' since ordering 
is important.

I have been thinking about this over the past few days and I actually 
think I agree with you. While it might be confusing that

allow <*.bar.com> exclude <foo.bar.com>, allow <*.bar.com>

allows foo.bar.com. I think it's even more confusing that

allow <*.bar.com>, deny <foo.bar.com>

does. So I think we should have both 'allow' and 'deny', both with 
'exclude'. Ordering is not important, but deny rules are processed first.

Not sure if we should have 'deny' PIs or not though. I'm open to 
arguments both ways.

/ Jonas
Received on Monday, 7 May 2007 17:18:36 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 8 January 2008 14:10:22 GMT