Re: [access-control] Potential security problem (port should be auto-restricted)

Please ignore the e-mail below. If you do have an opinion about it please  
follow up on public-appformats@w3.org where it should've gone. Thanks!


On Wed, 03 Oct 2007 23:52:57 +0200, Anne van Kesteren <annevk@opera.com>  
wrote:
> On Wed, 03 Oct 2007 01:40:33 +0200, Ian Hickson <ian@hixie.ch> wrote:
>> I recommend that the spec default the port to the default port for the
>> given scheme (80 for http:, 443 for https:, etc).
>
> I believe this was removed based on feedback from implementors. But  
> maybe we haven't fully considered all the options back then. I think we  
> should integrate this proposal as to not require authors to specify :80  
> on their shared hosting accounts. The new algorithm would work as  
> follows:
>
> http://example.org matches against http://example.org:80 but not  
> http://example.org:81 The port defaults to the default port for the  
> scheme.
>
> example.org matches against http://example.org:80,  
> https://example.org:8000, etc. The scheme and port both act as a  
> wildcard.
>
> To make it possible to require a certain scheme but allow access from  
> any port we can introduce * for port. So you can specify  
> http://example.org:* which does match http://example.org:81 among others.
>
> Any opinions?


-- 
Anne van Kesteren
<http://annevankesteren.nl/>
<http://www.opera.com/>

Received on Wednesday, 3 October 2007 22:20:26 UTC