- From: Brad Porter <brad@tellme.com>
- Date: Sat, 28 Oct 2006 15:49:21 -0700
- To: Anne van Kesteren <annevk@opera.com>
- Cc: "WAF WG (public)" <public-appformats@w3.org>
Anne van Kesteren wrote: > On Sat, 28 Oct 2006 17:22:23 +0200, Brad Porter <brad@tellme.com> wrote: >> I can go either way on this. The original NOTE was targeted to a >> very specific use-case and not intended to be a generalized access >> mechanism. That use case (XML read by applications running in a >> browser) is an important use case by itself. > > I agree. This specification doesn't prohibit that though. VoiceXML > would just say that for non-same-origin resources the access control > policy as defined in [ACCESS-CONTROL] is applicable and what it would > mean for that resource to be in "default", "allow" or "deny" state. You are correct, the specification doesn't really prohibit other specifications using the mechanism for other use cases. Though the title/abstract/introduction in particular used to be much more specific on the intended use-case for this mechanism (XML read by browser applications). The problem with letting other specifications define how to use the mechanism is that unless we specify some way to specify access-control-for-function-X, then two specifications might declare two different purposes for the header which conflict. For instance, a specification might say "if access-control is deny for a document to be displayed in a sub-frame, the contents of that document must not be displayed in the sub-frame." Another specification might say "if access-control is deny for a document to be requested by XmlHttpRequest, the contents of that document must not be parsed and made available to the application." As an author, if you want to allow your content to be displayed as a sub-frame, but not allow your content to be accessed via XmlHttpRequest, what do you do? As I said, I could go either way, but if we just want to say "this is a mechanism independent of function, here you go, you must specify the functional behavior in its context", then I think we need to enable a way to say "access-control-for-function-X". Currently, the specification states " >> I don't feel like we've analyzed enough general use-cases for >> access-control to say that the mechanism is sufficiently general for >> the variety of use-cases that have been mentioned (restricting access >> to images, etc.). > > Note that my proposal is not to make it generic. It just says that > other specifications have to define when you have to apply the access > control policy to a resource and what it would mean for such a > resource to be in one of the three returned states. > > >> That said, we could also leave that analysis exercise to those >> writing the specification that references this. I do worry that if >> there are two separate access-control use cases applicable to a >> single document (disallow access for X, but allow access for Y) then >> we could be in conflict. > > I don't really understand this. See description above. > > >>> The allow and deny ruleset, together with the request URI (referrer) >>> form an input for the access control policy. The outcome is either >>> "access denied", "access granted" or "default" (or something along >>> those lines). >>> >>> Specifications using this specification must define for which >>> resources the access control policy is applicable. Those >>> specifications must also define what "access denied", "access >>> granted" and "default" mean in the context of that specification >>> (throwing an exception, etc.). (XXX: I suppose that in most cases >>> "default" is treated as "access denied". Not sure how to say that >>> here though.) >> >> Yes, though if we want to make it general, I don't think we can >> specify a default. For instance, the <img src=""> case should >> probably default to allow. > > In the case of <img src=""> the whole access control policy probably > doesn't apply at all. (Unless you want it and in that case you'd have > to define that in the relevant specification...) Right, I'm suggesting we either want to consider those potential use cases, or we should state that this is not intended for that purpose and it isn't appropriate to reference/use this mechanism for anything other than XML-read > > >>> XXX: Probably say something about this only being safe for GET and >>> HEAD requests. >>> >>> When fetching a resource the following algorithm must be followed: >>> >>> When a resource is retrieved over HTTP extract a deny and allow >>> ruleset from the Access-Control (XXX: Content-Access-Control?) >>> header(s). That, together with the request URI, forms an input for >>> the access control policy. If the result is "access denied" return >>> that and terminate the algorithm. >> >> I missed the justification for HTTP overriding document level? Is >> this just to support priority of protocol over content? The use case >> that a web-server might generally disallow, but a document wants to >> specifically allow in certain cases seems quite valid. > > Something like > > Content-Access-Control:deny="*" > > <?access-control allow="foobar.com"?> > > I suppose that's a valid issue. I'm fine either way so I suggest the > specification says to take both into account and only HTTP for HEAD > requests. The specification does currently say that rules may be specified in both places and that all rules must be used. Consequently, the most appropriate reading is that HEAD-only requests are insufficient to make a determination. Do we have a use-case for HEAD-only requests? --Brad > --Anne van Kesteren > <http://annevankesteren.nl/> > <http://www.opera.com/> > >
Received on Saturday, 28 October 2006 22:49:46 UTC