W3C home > Mailing lists > Public > public-rww@w3.org > November 2013

Web Access control allowing CORS agents

From: Henry Story <henry.story@bblfish.net>
Date: Tue, 26 Nov 2013 19:18:15 +0100
Message-Id: <C7EBC3DB-6665-483A-BECB-AA0717D44EA3@bblfish.net>
To: Read-Write-Web <public-rww@w3.org>
Hi all [1],

  Working with Andrei at Mozilla in Paris [2] we came up with the following issue.

Background: 
  a JS Agent from one domain making a request on a different domain needs the server
it is making requests be it GET, PUT, POST, DELETE or PATCH to specify which JS agents
it trusts with the information. ( this can be * for all agents, and agents are only
defined by (sub)domain. ) 
   It is not a good idea for an LDP server on the public internet to allow any agent
to execute non idempotent actions such as POST, DELETE, PATCH and PUT on allr resources
- that would really be allow too much mischief.

   But we could allow that per container. This could be done using WAC by a simple 
rule such as

[[
  @prefix acl: <http://www.w3.org/ns/auth/acl#> . 
  @prefix foaf: <http://xmlns.com/foaf/0.1/> . 

[] acl:accessToClass [ acl:regex "https://stample.io/2013/test/.*" ];  
   acl:mode acl:Read, acl:Write; 
   acl:agent [ acl:cors "https://joe.rww.io" . ] 
]]

So this is saying that agent http://joe.rww.io can have Read/Write Access to all files
under the directory /2013/test/.*

A better name than acl:cors is welcome. 

Henry 



[1] Sorry for not having responded to previous responses to my mails on this list.
I have been busy and will get back to those threads.
[2] http://hack.stample.co/

Social Web Architect
http://bblfish.net/
Received on Tuesday, 26 November 2013 18:18:45 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 26 November 2013 18:18:46 UTC