ISSUE-12 (access-control-policy-path): IIS and Access-Control-Policy-Path [Access Control] from Web Applications Working Group Issue Tracker on 2008-06-23 (public-webapps@w3.org from April to June 2008)

From: Web Applications Working Group Issue Tracker <sysbot+tracker@w3.org>
Date: Mon, 23 Jun 2008 19:37:11 +0000 (GMT)
To: public-webapps@w3.org
Message-Id: <20080623193711.E24565F74F@stu.w3.org>

ISSUE-12 (access-control-policy-path): IIS and Access-Control-Policy-Path [Access Control]

http://www.w3.org/2008/webapps/track/issues/

Raised by: Anne van Kesteren
On product: Access Control

[[ This issue was created on 2008-06-06 as Issue #25 in the Web Applications Formats (WAF) WG and is copied in totality to the Web Applications WG's Issues database:
<http://www.w3.org/2005/06/tracker/waf/issues/25> ]]

    IIS servers have an issue in that resources can be addressed by several distinct URIs as explained in this e-mail:

    http://lists.w3.org/Archives/Public/public-appformats/2008May/0039.html

    This impacts the design of Access-Control-Policy-Path to some extent. Two proposals have been put forward by members of the WG to address this issue:

    A. If a URI (also one given during redirects, etc.) contains the "\.." sequence (or the escaped form) apply the generic network error steps.

    B. Warn against using the Access-Control-Policy-Path feature in servers that exhibit this behavior.

Received on Monday, 23 June 2008 19:38:52 UTC