Re: ISSUE-12 (access-control-policy-path): IIS and Access-Control-Policy-Path [Access Control]

Web Applications Working Group Issue Tracker wrote:
> ISSUE-12 (access-control-policy-path): IIS and Access-Control-Policy-Path [Access Control]
> 
> http://www.w3.org/2008/webapps/track/issues/
> 
> Raised by: Anne van Kesteren
> On product: Access Control
> 
> [[ This issue was created on 2008-06-06 as Issue #25 in the Web Applications Formats (WAF) WG and is copied in totality to the Web Applications WG's Issues database:
> <http://www.w3.org/2005/06/tracker/waf/issues/25> ]]
> 
>     IIS servers have an issue in that resources can be addressed by several distinct URIs as explained in this e-mail:
> 
>     http://lists.w3.org/Archives/Public/public-appformats/2008May/0039.html
> 
>     This impacts the design of Access-Control-Policy-Path to some extent. Two proposals have been put forward by members of the WG to address this issue:
> 
>     A. If a URI (also one given during redirects, etc.) contains the "\.." sequence (or the escaped form) apply the generic network error steps.
> 
>     B. Warn against using the Access-Control-Policy-Path feature in servers that exhibit this behavior.

There is also:

C. Drop Access-Control-Policy-Path from this version of the spec.

Mozilla will not implement Access-Control-Policy-Path if the only 
protection mechanism is warning IIS users not to use it. Of course, we 
are fine with prohibiting the "\.." even if the spec allows it. Though 
we think it would be better for all involved parties if the spec had a 
normative requirement to deal with this issue since we think it would 
result in a safer web and would allow IIS administrators to take 
advantage of this feature.

/ Jonas

Received on Monday, 23 June 2008 21:30:01 UTC