Anne van Kesteren wrote:
Have "allow", "deny" and "default". There is no "exclude". Order is
important. If headers say "deny" then immediately deny. If headers say
"allow" or "default" check with PIs. If PIs say "deny" deny. If PIs
say "allow" allow. If PIs say nothing and headers said "allow" allow.
Otherwise deny.
If we allow "default" in PIs or not doesn't really matter to me. In
the end they are useless, but it would be consistent.
So what would happen for:
Content-Access-Control: allow <*.bar.com>, deny <*.bar.com>
You seemed to imply that ordering was important, but I wonder if that's
intuitive.
Yes, in my proposed algorithm that would indicate 'allow' since ordering
is important.
I have been thinking about this over the past few days and I actually
think I agree with you. While it might be confusing that
allow <*.bar.com> exclude <foo.bar.com>, allow <*.bar.com>
allows foo.bar.com. I think it's even more confusing that
allow <*.bar.com>, deny <foo.bar.com>
does. So I think we should have both 'allow' and 'deny', both with
'exclude'. Ordering is not important, but deny rules are processed first.
Not sure if we should have 'deny' PIs or not though. I'm open to
arguments both ways.
/ Jonas
