W3C home > Mailing lists > Public > public-appformats@w3.org > May 2007

Re: [AC] Access Control Algorithm

From: Anne van Kesteren <annevk@opera.com>
Date: Mon, 21 May 2007 13:40:24 +0200
To: "Thomas Roessler" <tlr@w3.org>, "Jonas Sicking" <jonas@sicking.cc>
Cc: "WAF WG (public)" <public-appformats@w3.org>
Message-ID: <op.tsoddmx664w2qv@annevk.hotspot.sfr.fr>

On Mon, 21 May 2007 12:58:05 +0200, Thomas Roessler <tlr@w3.org> wrote:
> On 2007-05-07 17:31:17 +0200, Anne van Kesteren wrote:
>> Yes, my proposal was to allow "deny <rules> exclude <rules>" in
>> addition on HTTP headers.
>
> Ugh.  That once again introduces an order dependency when evaluating
> the header, and makes things unnecessarily more fragile.

The latest editor draft tightly defines this. Instead of introducing an  
order dependency it simply builds up to separate lists which are then  
checked in order. (The deny list before the allow list.)


> (Also, you mentioned the effect on same-origin requests yourself,
> which might be rather unintuitive...)

This is always an issue. However, the draft clearly states everything only  
applies when the policy applies.


-- 
Anne van Kesteren
<http://annevankesteren.nl/>
<http://www.opera.com/>
Received on Monday, 21 May 2007 11:40:50 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 8 January 2008 14:10:22 GMT