Re: [access-control] Potential security problem (port should be auto-restricted)

Anne van Kesteren wrote:
> 
> On Wed, 03 Oct 2007 01:40:33 +0200, Ian Hickson <ian@hixie.ch> wrote:
>> I recommend that the spec default the port to the default port for the
>> given scheme (80 for http:, 443 for https:, etc).
> 
> I believe this was removed based on feedback from implementors. But maybe
> we haven't fully considered all the options back then. I think we should
> integrate this proposal as to not require authors to specify :80 on their
> shared hosting accounts. The new algorithm would work as follows:
> 
> http://example.org matches against http://example.org:80 but not
> http://example.org:81 The port defaults to the default port for the scheme.

Sounds good.

> example.org matches against http://example.org:80,
> https://example.org:8000, etc. The scheme and port both act as a wildcard.

Hmm.. this isn't really ideal I think as it would be very easy to forget 
to add the 'http://' part and inadvertently end up in the situation Ian 
describes. Could we use the default port of the requesting scheme instead?

/ Jonas

Received on Wednesday, 3 October 2007 22:54:05 UTC