Re: [access-control] update from the editor from Anne van Kesteren on 2007-05-10 (public-appformats@w3.org from May 2007)

From: Anne van Kesteren <annevk@opera.com>
Date: Thu, 10 May 2007 13:27:33 +0200
To: "Ian Hickson" <ian@hixie.ch>
Cc: "WAF WG (public)" <public-appformats@w3.org>
Message-ID: <op.tr3zf7ta64w2qv@id-c0020.guest-int.opera.no>

On Wed, 09 May 2007 21:28:12 +0200, Ian Hickson <ian@hixie.ch> wrote:
> In 2.1, ""deny" rules can be used by authors to deny read access from
> external resources to the entire server a simple way without having to
> check each individual XML resource that may have <?access-control?>
> processing instructions specified." is somewhat confusing to a first time
> reader because the PI hasn't yet been met.
>
> In fact it's still confusing to me now. I think your prepositions are all
> wrong. I'm not really sure what you're trying to say.

I tried to clarify it.


> 2.2 doesn't actually say that if the MUSTs are violated that the resource
> is put in error.

You mean to make it more clear to authors? Because when something is  
rejected is now determined by the algorithm in section 3.


> In 3: "The match list and exclude list are both unordered lists of access
> items." -- "the" match list? "the" exclude list? There are 3 of each!  
> This should probably be in the plural or something.

Made the definitions plural.


> Is there a difference between "terminate this algorithm" and "terminate
> this algorithm (process the next list item)"?

I rewrote most of this sub algorithm handling to make it much more clear  
(hopefully!) what needs to be done.


> "user agents must grant access to the resource" can we make that a SHOULD
> instead of a MUST?

Makes sense, addressed.


> It isn't completely clear to me what the "overall algorithm" is. The
> sub-algorithms have <ol>s, maybe the overall algorithm should too? I  
> don't know.

I put it <ol>. It probably needs some further tweaking to make it clear  
when it's invoked and such.


> I can't really comment on the "match" algorithm because I don't know what
> Request URL is supposed to be. For example, is it expected to be an
> absolute URL always, or can it be relative? What does it mean for the
> origin not to have a scheme? Why would you ignore the scheme if it's not
> followed by "://" ? How can it not have a port? Are non-host-based-
> authority schemes allowed?
>
> Step 9 doesn't specify the order.

I tried to fix these as well. See:

   http://dev.w3.org/cvsweb/~checkout~/2006/waf/access-control/Overview.html?content-type=text/html;%20charset=utf-8


-- 
Anne van Kesteren
<http://annevankesteren.nl/>
<http://www.opera.com/>

Received on Thursday, 10 May 2007 11:27:52 UTC