The user agent is responsible for validating that the requesting document (A) is allowed to access the contents of the requested document (B). This validation is performed by comparing the URL of the requesting document (A) with the rules specified in the access-control information associated with the requested document (B).
Access-control rules are specified in the Content-access-control HTTP header returned with the requested document (B). In addition, the access-control rules may be returned in an <?access-control?> processing instruction included in the XML prolog of the requested document (B).
All rules provided must be used. If any rules are not well-formed for any reason, the user agent must fall-back to it default security policy. User agents must not use partial or incomplete information for comparison.
There are two types of rules: allow and deny. These rules are applied to targets.
Targets are URIs which may contain the '*' character as a wildcard. Wildcards may be placed anywhere in a URI string. Wildcards do not allow for substring matching (http*:// is not allowed). Wildcards have the following rules:
*://example.com is allowed; http*:// is not allowed
http://*.example.com does match http://www.example.com/ but does NOT match http://test.www.example.com
http://www.example.com/*/index.html matches http://www.example.com/test/a/b/c/index.html
http://www.example.com/test/* matches http://www.example/com/test/a/b/c/index.html
Rules are considered least specific to most specific in the following order:
Comparing a target to the requesting URI is performed by a bytewise comparison of the URI to the target.
When multiple rules are present, they must be evaluated in the following order:
Evaluation is performed by evaluating the requesting URL against each rule. The last rule whose target matches the requesting URL is used. In the event that no rule matches the requesting URL, the user agent must use its default policy to determine whether to allow the requesting URL access.