- From: Thomas Roessler <tlr@w3.org>
- Date: Sat, 7 Jul 2007 00:47:15 +0200
- To: Jonas Sicking <jonas@sicking.cc>
- Cc: Mark Nottingham <mnot@yahoo-inc.com>, "WAF WG (public)" <public-appformats@w3.org>
On 2007-07-05 15:16:34 -0700, Jonas Sicking wrote: > An alternative solution is to remove the wildcard syntax > entierly, and say that it's implicitly always there. So > Content-Access-Control: deny <evil.com>, allow <good.com> > denies evil.com together with subdomains, while allowing good.com > together with subdomains. To be clear, I don't object against that particular wildcard syntax. However, part of this discussion is likely moot given the thread that Rhys (rightly) opened up with respect to the interaction with POWDER. On 2007-07-06 10:23:10 -0700, Jonas Sicking wrote: > sigh, keeping saying that without coming up with an alternative > seems very unproductive. I agree that we seem not to be making much progress on the "deny" issue on the mailing list. To summarize, the concerns are: - "deny" lets people express policies that might not be enforced since semantics are expressed in terms of adding to the list of sites for which access is permissible. - This perception might create a slippery slope toward applying the access-control information for other use cases, includig inlining of resources. I would suggest to be very careful before going down that way, and while Anne rightly argues that these are different use cases that shouldn't be mixed, it's not clear that everybody would subscribe to that argument. - The "deny" statement adds complexity to the language's semantics, therefore causes more opportunities for mistakes. The one use case that we have for the "deny" statement so far is configuring web servers on which somebody might have put erroneous "allow" authorizations, in case there is a practical attack going on. I agree that it's a valid concern, but I disagree that it should lead to a change to the language. Therefore, I'm essentially proposing that we do not treat this use case. This is ultimately a question that the two of us won't solve by running our heads against each other, either in e-mail or on the phone. I'd therefore (as I said before) like to hear the opinions that others hold on this question. Regards, -- Thomas Roessler, W3C <tlr@w3.org>
Received on Friday, 6 July 2007 22:47:20 UTC