The user agent is responsible for validating that the requesting document (A) is allowed to access the contents of the requested document (B). This validation is performed by comparing the URL of the requesting document (A) with the rules specified in the access-control information associated with the requested document (B).
Access-control rules are specified in the Content-access-control HTTP header returned with the requested document (B). In addition, the access-control rules may be returned in an <?access-control?> processing instruction included in the XML prolog of the requested document (B).
All rules provided must be used. If any rules are not well-formed for any reason, the user agent must fall-back to it default security policy. User agents must not use partial or incomplete information for comparison.
There are two types of rules: allow and deny. These rules are applied to targets. Targets can be domains, hosts, directories, or individual documents. Further, the rules can be restricted to certain protocols.
Comparing a target to the requesting URI is performed as follows, ordered from the least specific to the most specific. In order to properly support IRIs in place of URIs, all string comparisons must be performed bytewise.
example.org matches http://www.example.org/index.html
https://example.org matches https://www.example.org/index.html
test.www.example.com matches http://test.www.example.com/index.html
example.com/test/1/ matches http://www.example.com/test/1/index.html
example.com/index.html matches http://www.example.com/index.html
When multiple rules are present, they must be evaluated in the following order:
Evaluation is performed by evaluating the requesting URL against each rule. The last rule whose target matches the requesting URL is used. In the event that no rule matches the requesting URL, the user agent must use its default policy to determine whether to allow the requesting URL access.