Re: [access-control] Potential security problem (port should be auto-restricted)

On Wed, 03 Oct 2007 01:40:33 +0200, Ian Hickson <ian@hixie.ch> wrote:
> I recommend that the spec default the port to the default port for the
> given scheme (80 for http:, 443 for https:, etc).

I believe this was removed based on feedback from implementors. But maybe
we haven't fully considered all the options back then. I think we should
integrate this proposal as to not require authors to specify :80 on their
shared hosting accounts. The new algorithm would work as follows:

http://example.org matches against http://example.org:80 but not
http://example.org:81 The port defaults to the default port for the scheme.

example.org matches against http://example.org:80,
https://example.org:8000, etc. The scheme and port both act as a wildcard.

To make it possible to require a certain scheme but allow access from any
port we can introduce * for port. So you can specify http://example.org:*
which does match http://example.org:81 among others.

Any opinions?


-- 
Anne van Kesteren
<http://annevankesteren.nl/>
<http://www.opera.com/>

Received on Wednesday, 3 October 2007 22:18:04 UTC