Re: proposal for blanket statements

On Sat, 13 May 2006 15:45:53 -0400, Charles McCathieNevile  
<chaals@opera.com> wrote:

> I recently looked at this for the access-control task force of the Web  
> Application Formats group. Their use case is slightly different, since  
> they are esentially lookinjg for something that can be stored in an  
> attribute value, and they have existing implmentation and backwards  
> compatibility to consider, restrictions we don't have to live with.

Current implementations of the "access-control" PI [0] are based on IP  
numbers, or domain names, allowing for wild cards. There are alternatives,  
such as the rules for the scope attribute of P3P's HINT element [1].  
Although those are similar, they allow a greater graularity, providing for  
scheme (e.g. file:, http: etc) and port number constraints, as follows:

[quote cite=http://www.w3.org/TR/P3P/#hints]
... the host part of the authority MAY begin with a wildcard, as defined  
in Section 2.3.2.1.2. The scope attribute MUST NOT contain a wildcard in  
any other position, MUST be encoded according to the conventions in  
Section 2.3.2.1.2, and MUST NOT contain a path, query or fragment URI  
component.  Additionally, if the authority is a server, it SHOULD NOT  
contain a userinfo part.

For example, legal values for scope include:
http://www.example.com
http://www.example.com:81
http://*.example.com
ftp://ftp.example.org

The following are illegal values for the scope attribute:
http://www.*.com        ; the wildcard can only be at the start
http://www.example.com/  ; the trailing slash is not allowed
www.example.com          ; the scheme must be stated
*://www.example.com      ; the scheme cannot contain a wildcard
http://www.example.com:*; the port cannot contain a wildcard

The path attribute is used to locate the policy reference file on the  
hinted site. It is a relative URI whose base is the URI scheme and  
authority matched in the scope attribute. The path attribute MUST NOT be  
an absolute URI, so that the policy reference file is always retrieved  
 from the same site that it is applied to.
[/quote]

(Section 2.3.2.1.2 requires that any literal '*' character in the URI is  
encoded as %2A (i.e. uri-escaped), so that any '*' character encountered  
in a URI specification is processed as a wildcard.)

[0] http://www.w3.org/TR/access-control/
[1] http://www.w3.org/TR/P3P/#hints

cheers

Chaals

-- 
Charles McCathieNevile                     chaals@opera.com
   hablo español  -  je parle français  -  jeg lærer norsk
      Peek into the kitchen: http://snapshot.opera.com/

Received on Saturday, 13 May 2006 23:06:07 UTC