- From: Anne van Kesteren <annevk@opera.com>
- Date: Wed, 13 Jun 2007 11:19:53 +0200
- To: "Jonas Sicking" <jonas@sicking.cc>
- Cc: "WAF WG (public)" <public-appformats@w3.org>
On Thu, 07 Jun 2007 01:13:40 +0200, Jonas Sicking <jonas@sicking.cc> wrote: >> * What happens when the XML is not well-formed and how does this >> interact with incremental parsing. > > This one is tricky for sure. IMHO we can't require that AC checks fail > if the document fails to fully parse. In my implementation I plan to > stop parsing once I hit the first start tag and if access hasn't been > granted yet at that point abort. I don't want, for security reasons, to > create any DOM nodes at all if access is denied, so it's not an option > to create a full DOM and then do access checks. This is now clarified by the specification. It specifies what you suggest. > I also thought of a pretty important use-case that requires "deny" in > the PIs. If the server sets an allow header, but you want to put a file > on that server that you *don't* want people from other servers to have > access to, you need to be able to specify that directly in the file. It > is not enough to simply not put any AC PIs in the file since then the > servers 'accept' will be used. You could use <?access-control allow="*" exclude="*"?> However, I added <?access-control deny=...?> for now. -- Anne van Kesteren <http://annevankesteren.nl/> <http://www.opera.com/>
Received on Wednesday, 13 June 2007 09:20:09 UTC