W3C home > Mailing lists > Public > public-appformats@w3.org > July 2007

Re: [ac] wildcard rules and subdomains

From: Thomas Roessler <tlr@w3.org>
Date: Sat, 7 Jul 2007 11:32:01 +0200
To: Jonas Sicking <jonas@sicking.cc>
Cc: "WAF WG (public)" <public-appformats@w3.org>
Message-ID: <20070707093201.GQ6561@raktajino.does-not-exist.org>

On 2007-07-06 17:18:11 -0700, Jonas Sicking wrote:

> The other use case if your putting a resource on a server that
> grants access, but you don't want your particular resource to be
> accessible cross domain.

That use case is actually a recipe for desaster -- mainly because
there is no way for the server operator to know whether a client is
going to honor a policy or not.  After all, the client could be old
and predate (and therefore ignore) the access-control language.

That kind of scenario is, in fact, another reason why the
access-control language should not be able to express restrictions
that go beyond the existing sandbox model.  People will try to use
the language with "deny" for the use case that you describe, and (as
you said) "bad things will happen."

Thomas Roessler, W3C  <tlr@w3.org>
Received on Saturday, 7 July 2007 09:32:15 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:56:19 UTC