Re: [access-control] Potential security problem (port should be auto-restricted) from Anne van Kesteren on 2007-10-04 (public-appformats@w3.org from October 2007)

From: Anne van Kesteren <annevk@opera.com>
Date: Thu, 04 Oct 2007 12:36:08 +0200
To: "Jonas Sicking" <jonas@sicking.cc>, "WAF WG (public)" <public-appformats@w3.org>
Message-ID: <op.tzn42ijh64w2qv@annevk-t60.oslo.opera.com>

On Thu, 04 Oct 2007 00:53:04 +0200, Jonas Sicking <jonas@sicking.cc> wrote:
> Sounds good.

Done.


>> example.org matches against http://example.org:80,
>> https://example.org:8000, etc. The scheme and port both act as a  
>> wildcard.
>
> Hmm.. this isn't really ideal I think as it would be very easy to forget  
> to add the 'http://' part and inadvertently end up in the situation Ian  
> describes. Could we use the default port of the requesting scheme  
> instead?

Done:

   http://dev.w3.org/2006/waf/access-control/#match


-- 
Anne van Kesteren
<http://annevankesteren.nl/>
<http://www.opera.com/>

Received on Thursday, 4 October 2007 10:36:26 UTC