Re: [AC] URI canonicalization problem with Access-Control-Policy-Path

On Fri, 16 May 2008 18:44:43 +0200, Bjoern Hoehrmann <>  
> I didn't follow the introduction of this feature, and couldn't find
> much information that demonstrates how a feature like it is needed or
> would pay off, but if introduced, the scope should always be the whole
> triple of scheme, host, and port, not individual paths. As you note,
> the effect will often be the same either way.

The feature avoids the overhead you get when you need to issue 10 POST  
requests to 10 distinct URIs on the same server scoped to some path.  
Without Acess-Control-Policy-Path that requires 20 requests. With  
Access-Control-Policy-Path it requires 12. So for the N requests you want  
to make it roughly safes you of N additional requests for larger values of  

Ian was one of the persons who proposed this feature and he doesn't think  
it's worthwhile to have it if it's scoped to the entire triple (just  
allowing the / value for instance).

I'm in a bit of a dilemma as there were a lot of requests for a feature  
like this. Should we either recommend that authors not use this on servers  
where the path part of the URI doesn't necessarily match the phyisical  
location on the disk, as is the case on IIS servers and specifically  
configured Apache servers for instance, should we drop the feature for  
now, or should we keep the feature but rename it and restrict it to /?

Anne van Kesteren

Received on Thursday, 22 May 2008 08:48:50 UTC