W3C home > Mailing lists > Public > public-webapi@w3.org > October 2007

Re: [access-control] Potential security problem (port should be auto-restricted)

From: Anne van Kesteren <annevk@opera.com>
Date: Thu, 04 Oct 2007 00:20:19 +0200
To: "Web API WG (public)" <public-webapi@w3.org>
Message-ID: <op.tzm6z5hv64w2qv@annevk-t60.oslo.opera.com>

Please ignore the e-mail below. If you do have an opinion about it please  
follow up on public-appformats@w3.org where it should've gone. Thanks!


On Wed, 03 Oct 2007 23:52:57 +0200, Anne van Kesteren <annevk@opera.com>  
wrote:
> On Wed, 03 Oct 2007 01:40:33 +0200, Ian Hickson <ian@hixie.ch> wrote:
>> I recommend that the spec default the port to the default port for the
>> given scheme (80 for http:, 443 for https:, etc).
>
> I believe this was removed based on feedback from implementors. But  
> maybe we haven't fully considered all the options back then. I think we  
> should integrate this proposal as to not require authors to specify :80  
> on their shared hosting accounts. The new algorithm would work as  
> follows:
>
> http://example.org matches against http://example.org:80 but not  
> http://example.org:81 The port defaults to the default port for the  
> scheme.
>
> example.org matches against http://example.org:80,  
> https://example.org:8000, etc. The scheme and port both act as a  
> wildcard.
>
> To make it possible to require a certain scheme but allow access from  
> any port we can introduce * for port. So you can specify  
> http://example.org:* which does match http://example.org:81 among others.
>
> Any opinions?


-- 
Anne van Kesteren
<http://annevankesteren.nl/>
<http://www.opera.com/>
Received on Wednesday, 3 October 2007 22:20:26 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 8 January 2008 14:18:58 GMT