Re: [AC] Access Control Algorithm from Jonas Sicking on 2007-04-26 (public-appformats@w3.org from April 2007)

From: Jonas Sicking <jonas@sicking.cc>
Date: Thu, 26 Apr 2007 16:53:01 -0700
To: Anne van Kesteren <annevk@opera.com>, "WAF WG (public)" <public-appformats@w3.org>
Message-ID: <46313B5D.50706@sicking.cc>

Jonas Sicking wrote:
> 
> Anne van Kesteren wrote:
>> On Tue, 24 Apr 2007 21:12:35 +0200, Jonas Sicking <jonas@sicking.cc> 
>> wrote:
>>> One thing that is very important IMHO is that it is possible using
>>> headers to turn off access to a whole server. One usecase for this would
>>> be if a site notices some files are missconfigured and as immediate
>>> security precaution disables access to all files while figuring out what
>>> is wrong.
>>> Another scenario would be a hosting server such as livejournal or
>>> geocities wanting to disable access to all their hosted files even
>>> though other users manage the contents of those files.
>>
>> How about changing:
>>
>>   rule ::= "allow" (pattern)+ ("exclude" (pattern)+)?
>>
>> To:
>>
>>   rule  ::= deny | allow
>>   deny  ::= "deny" (pattern)+
>>   allow ::= "allow" (pattern)+ ("exclude" (pattern)+)?
>>
>> And then letting the algorithm in section 3 first seek through all 
>> explicit deny clauses.
> 
> I actually liked the idea of going through the clauses in the order they 
> appear. It seems logical and easy for authors to follow that logic.
> 
> However as I've been thinking about this I do think that "exclude" can 
> be useful, at least for the processing instruction. One example I 
> brought up was a server administrator inside a firewall wanting to block 
> access to all files from servers outside the firewall. Such a header 
> would likely look something like:
> 
> deny <*> exclude <http://*.intranet.company.com> 
> <https://*.intranet.company.com>
> 
> This would then allow the page to explicitly define which sites would be 
> able to access it, but would prevent the page from accidentally allow 
> access from an external site.

An even better idea occured to me. How about the following syntax:

   rule    ::= deny | allow | default
   deny    ::= "deny" (pattern)+
   allow   ::= "allow" (pattern)+
   default ::= "default" (pattern)+

The rules are match first-to-last, if a 'default' rule is hit processing 
of the header is stopped and only the PI rules in the document. This 
allows the same set of rules to be constructed as if we had 'exclude' on 
both deny and allow, but is IMHO easier to read and see what matches what.

The name 'default' might not be ideal. 'none' or 'page' are other names 
i could think of.

/ Jonas

Received on Thursday, 26 April 2007 23:55:05 UTC