Re: Web Access control allowing CORS agents

On 29 Nov 2013, at 15:08, Melvin Carvalho <melvincarvalho@gmail.com> wrote:

> 
> 
> 
> On 26 November 2013 19:18, Henry Story <henry.story@bblfish.net> wrote:
> Hi all [1],
> 
>   Working with Andrei at Mozilla in Paris [2] we came up with the following issue.
> 
> Looks like quite a turn out!  Let us know how you get on :)
>  
> 
> Background:
>   a JS Agent from one domain making a request on a different domain needs the server
> it is making requests be it GET, PUT, POST, DELETE or PATCH to specify which JS agents
> it trusts with the information. ( this can be * for all agents, and agents are only
> defined by (sub)domain. )
>    It is not a good idea for an LDP server on the public internet to allow any agent
> to execute non idempotent actions such as POST, DELETE, PATCH and PUT on allr resources
> - that would really be allow too much mischief.
> 
>    But we could allow that per container. This could be done using WAC by a simple
> rule such as
> 
> [[
>   @prefix acl: <http://www.w3.org/ns/auth/acl#> .
>   @prefix foaf: <http://xmlns.com/foaf/0.1/> .
> 
> [] acl:accessToClass [ acl:regex "https://stample.io/2013/test/.*" ];
>    acl:mode acl:Read, acl:Write;
>    acl:agent [ acl:cors "https://joe.rww.io" . ]
> ]]
> 
> So this is saying that agent http://joe.rww.io can have Read/Write Access to all files
> under the directory /2013/test/.*
> 
> A better name than acl:cors is welcome.
> 
> At first glance agree with Joe on use of the term "Origin".  Of course, the O in cOrs stands for Origin ...

yes origin is better.

Thanks :-)

I'll try to add that up on the wiki as a suggestion...

>  
> 
> Henry
> 
> 
> 
> [1] Sorry for not having responded to previous responses to my mails on this list.
> I have been busy and will get back to those threads.
> [2] http://hack.stample.co/
> 
> Social Web Architect
> http://bblfish.net/

Social Web Architect
http://bblfish.net/