- From: Anne van Kesteren <annevk@opera.com>
- Date: Mon, 21 May 2007 13:40:24 +0200
- To: "Thomas Roessler" <tlr@w3.org>, "Jonas Sicking" <jonas@sicking.cc>
- Cc: "WAF WG (public)" <public-appformats@w3.org>
On Mon, 21 May 2007 12:58:05 +0200, Thomas Roessler <tlr@w3.org> wrote: > On 2007-05-07 17:31:17 +0200, Anne van Kesteren wrote: >> Yes, my proposal was to allow "deny <rules> exclude <rules>" in >> addition on HTTP headers. > > Ugh. That once again introduces an order dependency when evaluating > the header, and makes things unnecessarily more fragile. The latest editor draft tightly defines this. Instead of introducing an order dependency it simply builds up to separate lists which are then checked in order. (The deny list before the allow list.) > (Also, you mentioned the effect on same-origin requests yourself, > which might be rather unintuitive...) This is always an issue. However, the draft clearly states everything only applies when the policy applies. -- Anne van Kesteren <http://annevankesteren.nl/> <http://www.opera.com/>
Received on Monday, 21 May 2007 11:40:50 UTC