W3C home > Mailing lists > Public > public-appformats@w3.org > October 2007

Re: [access-control] Potential security problem (port should be auto-restricted)

From: Anne van Kesteren <annevk@opera.com>
Date: Thu, 04 Oct 2007 12:36:08 +0200
To: "Jonas Sicking" <jonas@sicking.cc>, "WAF WG (public)" <public-appformats@w3.org>
Message-ID: <op.tzn42ijh64w2qv@annevk-t60.oslo.opera.com> 

On Thu, 04 Oct 2007 00:53:04 +0200, Jonas Sicking <jonas@sicking.cc> wrote:
> Sounds good.

Done.


>> example.org matches against http://example.org:80,
>> https://example.org:8000, etc. The scheme and port both act as a  
>> wildcard.
>
> Hmm.. this isn't really ideal I think as it would be very easy to forget  
> to add the 'http://' part and inadvertently end up in the situation Ian  
> describes. Could we use the default port of the requesting scheme  
> instead?

Done:

   http://dev.w3.org/2006/waf/access-control/#match


-- 
Anne van Kesteren
<http://annevankesteren.nl/>
<http://www.opera.com/>
Received on Thursday, 4 October 2007 10:36:26 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 8 January 2008 14:10:22 GMT