- From: Jonas Sicking <jonas@sicking.cc>
- Date: Mon, 07 May 2007 10:18:30 -0700
- To: Anne van Kesteren <annevk@opera.com>
- Cc: "WAF WG (public)" <public-appformats@w3.org>
Anne van Kesteren wrote: >> Have "allow", "deny" and "default". There is no "exclude". Order is >> important. If headers say "deny" then immediately deny. If headers say >> "allow" or "default" check with PIs. If PIs say "deny" deny. If PIs >> say "allow" allow. If PIs say nothing and headers said "allow" allow. >> Otherwise deny. >> >> If we allow "default" in PIs or not doesn't really matter to me. In >> the end they are useless, but it would be consistent. > > So what would happen for: > > Content-Access-Control: allow <*.bar.com>, deny <*.bar.com> > > You seemed to imply that ordering was important, but I wonder if that's > intuitive. Yes, in my proposed algorithm that would indicate 'allow' since ordering is important. I have been thinking about this over the past few days and I actually think I agree with you. While it might be confusing that allow <*.bar.com> exclude <foo.bar.com>, allow <*.bar.com> allows foo.bar.com. I think it's even more confusing that allow <*.bar.com>, deny <foo.bar.com> does. So I think we should have both 'allow' and 'deny', both with 'exclude'. Ordering is not important, but deny rules are processed first. Not sure if we should have 'deny' PIs or not though. I'm open to arguments both ways. / Jonas
Received on Monday, 7 May 2007 17:18:36 UTC