Thomas Roessler wrote:
On 2007-05-07 10:18:30 -0700, Jonas Sicking wrote:
I have been thinking about this over the past few days and I actually think
I agree with you. While it might be confusing that
allow <*.bar.com> exclude <foo.bar.com>, allow <*.bar.com>
allows foo.bar.com. I think it's even more confusing that
allow <*.bar.com>, deny <foo.bar.com>
does. So I think we should have both 'allow' and 'deny', both
with 'exclude'. Ordering is not important, but deny rules are
processed first.
I get back to my earlier argument: This suggests to a policy author
that they can further restrict existing policies. Have fun with the
bugreports.
I'm all ears for other proposals, but I think it is critical that both
the server operator and the content author can restrict access to the
files to at least the default policy that UAs use today.
Anything else would make me very nervous to implement this at all.
I agree that you could make the server go through all the public files
on the filesystem and modify them to add excludes as appropriate, or
filter each request on the fly. However that system is significantly
more complicated and I doubt that anyone would have that ready to go
once the problem hits. It also does not allow the content author to
override a server set AC header.
/ Jonas
