W3C home > Mailing lists > Public > public-appformats@w3.org > November 2007

Re: More comments on access-control

From: Jonas Sicking <jonas@sicking.cc>
Date: Mon, 19 Nov 2007 16:57:17 -0800
Message-ID: <474230ED.2060802@sicking.cc>
To: Ian Hickson <ian@hixie.ch>
CC: Anne van Kesteren <annevk@opera.com>, "WAF WG (public)" <public-appformats@w3.org>

>>> Why is the "*." bit redundant in the domain part? How do I make sure 
>>> something matches "livejournal.com" but not 
>>> "ianhickson.livejournal.com"?
>>   allow <livejournal.com> exclude <ianhickson.livejournal.com>
>> or more generic
>>   allow <livejournal.com> exclude <*.livejournal.com>
> Hm. Ok. I'm pretty sure this is confusing enough that it'll be the source 
> of security holes in future, though.
> Does
>    allow <*.livejournal.com> exclude <livejournal.com>
> ...exclude everything in livejournal.com? (It seems that it does.)

This would basically be a no-op.

The problem here is that there are potential for security problems no 
matter how we do it. If we said that <livejournal.com> didn't include 
subdomains many people would likely get bitten by:

deny <livejournal.com>

And then getting bitten by people linking to them from 
www.livejournal.com or www2.livejournal.com

/ Jonas
Received on Tuesday, 20 November 2007 00:58:08 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:50:08 UTC