W3C home > Mailing lists > Public > public-webapi@w3.org > October 2007

Re: [access-control] Potential security problem (port should be auto-restricted)

From: Anne van Kesteren <annevk@opera.com>
Date: Wed, 03 Oct 2007 23:52:57 +0200
To: "Web API WG (public)" <public-webapi@w3.org>, "Jonas Sicking" <jonas@sicking.cc>
Message-ID: <op.tzm5qja564w2qv@annevk-t60.oslo.opera.com>

On Wed, 03 Oct 2007 01:40:33 +0200, Ian Hickson <ian@hixie.ch> wrote:
> I recommend that the spec default the port to the default port for the
> given scheme (80 for http:, 443 for https:, etc).

I believe this was removed based on feedback from implementors. But maybe  
we haven't fully considered all the options back then. I think we should  
integrate this proposal as to not require authors to specify :80 on their  
shared hosting accounts. The new algorithm would work as follows:

http://example.org matches against http://example.org:80 but not  
http://example.org:81 The port defaults to the default port for the scheme.

example.org matches against http://example.org:80,  
https://example.org:8000, etc. The scheme and port both act as a wildcard.

To make it possible to require a certain scheme but allow access from any  
port we can introduce * for port. So you can specify http://example.org:*  
which does match http://example.org:81 among others.

Any opinions?


-- 
Anne van Kesteren
<http://annevankesteren.nl/>
<http://www.opera.com/>
Received on Wednesday, 3 October 2007 21:53:29 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 8 January 2008 14:18:58 GMT