- From: Jonas Sicking <jonas@sicking.cc>
- Date: Fri, 06 Jul 2007 17:18:11 -0700
- To: Thomas Roessler <tlr@w3.org>, "WAF WG (public)" <public-appformats@w3.org>
Thomas Roessler wrote: > On 2007-07-05 15:16:34 -0700, Jonas Sicking wrote: > >> An alternative solution is to remove the wildcard syntax >> entierly, and say that it's implicitly always there. So > >> Content-Access-Control: deny <evil.com>, allow <good.com> > >> denies evil.com together with subdomains, while allowing good.com >> together with subdomains. > > To be clear, I don't object against that particular wildcard syntax. > However, part of this discussion is likely moot given the thread > that Rhys (rightly) opened up with respect to the interaction with > POWDER. From what I understood POWDER is changing their syntax so I think we could take a lead here and hopefully they will follow us. > On 2007-07-06 10:23:10 -0700, Jonas Sicking wrote: > >> sigh, keeping saying that without coming up with an alternative >> seems very unproductive. > > I agree that we seem not to be making much progress on the "deny" > issue on the mailing list. > > To summarize, the concerns are: > > - "deny" lets people express policies that might not be enforced > since semantics are expressed in terms of adding to the list of > sites for which access is permissible. This is true for the 'exclude' syntax too. The rule Content-Access-Control: allow <*.foo.com> exclude <evil.foo.com> will in fact allow pages from evil.foo.com to access this resource if the resource is located at evil.foo.com. Note that even for deny the only time it doesn't do what you might expect it to is if you're explicitly denying the server where the resource is located. > The one use case that we have for the "deny" statement so far is > configuring web servers on which somebody might have put erroneous > "allow" authorizations, in case there is a practical attack going > on. I agree that it's a valid concern, but I disagree that it > should lead to a change to the language. The other use case if your putting a resource on a server that grants access, but you don't want your particular resource to be accessible cross domain. > Therefore, I'm essentially proposing that we do not treat this use > case. > > This is ultimately a question that the two of us won't solve by > running our heads against each other, either in e-mail or on the > phone. I'd therefore (as I said before) like to hear the opinions > that others hold on this question. Agreed. I should note that this use case was one that was brought up during our security review of access-control at mozilla, and one that we felt needed to be addressed. So it's not just me personally that feel this way. / Jonas
Received on Saturday, 7 July 2007 00:18:29 UTC