- From: Jonas Sicking <jonas@sicking.cc>
- Date: Mon, 21 May 2007 16:27:20 -0700
- To: Jonas Sicking <jonas@sicking.cc>, Anne van Kesteren <annevk@opera.com>, "WAF WG (public)" <public-appformats@w3.org>
Thomas Roessler wrote: > On 2007-05-07 10:18:30 -0700, Jonas Sicking wrote: >> I have been thinking about this over the past few days and I actually think >> I agree with you. While it might be confusing that >> >> allow <*.bar.com> exclude <foo.bar.com>, allow <*.bar.com> >> >> allows foo.bar.com. I think it's even more confusing that >> >> allow <*.bar.com>, deny <foo.bar.com> >> >> does. So I think we should have both 'allow' and 'deny', both >> with 'exclude'. Ordering is not important, but deny rules are >> processed first. > > I get back to my earlier argument: This suggests to a policy author > that they can further restrict existing policies. Have fun with the > bugreports. I'm all ears for other proposals, but I think it is critical that both the server operator and the content author can restrict access to the files to at least the default policy that UAs use today. Anything else would make me very nervous to implement this at all. I agree that you could make the server go through all the public files on the filesystem and modify them to add excludes as appropriate, or filter each request on the fly. However that system is significantly more complicated and I doubt that anyone would have that ready to go once the problem hits. It also does not allow the content author to override a server set AC header. / Jonas
Received on Monday, 21 May 2007 23:31:25 UTC