- From: Jonas Sicking <jonas@sicking.cc>
- Date: Mon, 19 Nov 2007 16:57:17 -0800
- To: Ian Hickson <ian@hixie.ch>
- CC: Anne van Kesteren <annevk@opera.com>, "WAF WG (public)" <public-appformats@w3.org>
>>> Why is the "*." bit redundant in the domain part? How do I make sure >>> something matches "livejournal.com" but not >>> "ianhickson.livejournal.com"? >> allow <livejournal.com> exclude <ianhickson.livejournal.com> >> >> or more generic >> >> allow <livejournal.com> exclude <*.livejournal.com> > > Hm. Ok. I'm pretty sure this is confusing enough that it'll be the source > of security holes in future, though. > > Does > > allow <*.livejournal.com> exclude <livejournal.com> > > ...exclude everything in livejournal.com? (It seems that it does.) This would basically be a no-op. The problem here is that there are potential for security problems no matter how we do it. If we said that <livejournal.com> didn't include subdomains many people would likely get bitten by: deny <livejournal.com> And then getting bitten by people linking to them from www.livejournal.com or www2.livejournal.com / Jonas
Received on Tuesday, 20 November 2007 00:58:08 UTC