Re: Aligning grouping of resources in POWDER and WAF Access Control.

Jonas Sicking wrote:
> 
> Anne van Kesteren wrote:
>> On Mon, 23 Jul 2007 20:29:42 +0200, Jonas Sicking <jonas@sicking.cc> 
>> wrote:
>>>>  OK, forget the ? notation. Your examples are very clear and we seem 
>>>> in full alignment that <foo.com> includes sub domains but 
>>>> <*.foo.com> wouldn't include foo.com itself.
>>>
>>> Sounds great. What do other people think of switching to this syntax? 
>>> The difference from the current spec would be to change
>>
>> The only slightly confusing thing is that <http://foo.com> also 
>> matches <http://bar.foo.com> but I suppose that's ok.
> 
> Yeah, I agree, but given all other alternatives I think this is better. 
> If for example someone does
> 
> CAC: allow <*> exclude <http://evil.com>
> 
> is most likely useless since the owners of very.evil.com are the same 
> ones as evil.com. So it's not unlikely that the rule can be easily 
> circumvented.
> 
> It's not ideal, but it's the least bad suggestion yet IMHO.

Sorry if the above is confusing. What I meant was that the above bad 
scenario can happen unless we let http://evil.com match all subdomains 
as well.

/ Jonas

Received on Thursday, 26 July 2007 04:41:06 UTC