- From: Jonas Sicking <jonas@sicking.cc>
- Date: Wed, 06 Feb 2008 11:42:59 -0800
- To: Anne van Kesteren <annevk@opera.com>
- CC: "WAF WG (public)" <public-appformats@w3.org>
Anne van Kesteren wrote: > On Wed, 06 Feb 2008 12:08:15 +0100, Jonas Sicking <jonas@sicking.cc> wrote: >> Note that this isn't a problem with 'deny' rules. The exact same >> problem is there if OPTIONS requests to /dir/B doesn't return any AC >> headers at all. Just wanted the example to be more specific. > > I don't quite get the concern. Under what circumstances can author A > control /dir/ and /dir/A and not /dir/B? Could you elaborate some more > on the specific details? So keeping with the two concerns I had in my initial mail: 1 is showing that we're introducing ordering issues given a certain configuration. Just the sheer fact that ordering issues can arise is IMO bad and is likely to occationally lead to servers with the wrong setup. It definitely makes checking what policy is applying to a resource much more complicated as you have to look at the headers both for the resource itself, and for all its parent directories. Even if the resource doesn't include a Access-Control-Policy-Path header. This makes us much worse at complying with requirement 13. Regarding 2, I'm not really sure if such scenarios are common, no. / Jonas
Received on Wednesday, 6 February 2008 19:45:05 UTC