Re: [AC] URI canonicalization problem with Access-Control-Policy-Path

On Thu, 22 May 2008, Anne van Kesteren wrote:
> 
> I'm in a bit of a dilemma as there were a lot of requests for a feature 
> like this. Should we either recommend that authors not use this on 
> servers where the path part of the URI doesn't necessarily match the 
> phyisical location on the disk, as is the case on IIS servers and 
> specifically configured Apache servers for instance, should we drop the 
> feature for now, or should we keep the feature but rename it and 
> restrict it to /?

I'd vote for keeping it, with big warnings giving examples of how it can 
go wrong if used on IIS servers, and with warnings to avoid using it with 
mod_rewrite rules that map things out of the scope of the policy path.

If we start worrying about what happens with misconfigured servers, we're 
going to end up paralysed. What about a server that's misconfigured to 
delete its filesystem if you send it an OPTIONS request with a header it 
doesn't recognise?

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'

Received on Thursday, 22 May 2008 09:30:32 UTC