Thomas Roessler wrote:
On 2007-07-05 15:16:34 -0700, Jonas Sicking wrote:
An alternative solution is to remove the wildcard syntax
entierly, and say that it's implicitly always there. So
Content-Access-Control: deny <evil.com>, allow <good.com>
denies evil.com together with subdomains, while allowing good.com
together with subdomains.
To be clear, I don't object against that particular wildcard syntax.
However, part of this discussion is likely moot given the thread
that Rhys (rightly) opened up with respect to the interaction with
POWDER.
From what I understood POWDER is changing their syntax so I think we
could take a lead here and hopefully they will follow us.
On 2007-07-06 10:23:10 -0700, Jonas Sicking wrote:
sigh, keeping saying that without coming up with an alternative
seems very unproductive.
I agree that we seem not to be making much progress on the "deny"
issue on the mailing list.
To summarize, the concerns are:
- "deny" lets people express policies that might not be enforced
since semantics are expressed in terms of adding to the list of
sites for which access is permissible.
This is true for the 'exclude' syntax too. The rule
Content-Access-Control: allow <*.foo.com> exclude <evil.foo.com>
will in fact allow pages from evil.foo.com to access this resource if
the resource is located at evil.foo.com.
Note that even for deny the only time it doesn't do what you might
expect it to is if you're explicitly denying the server where the
resource is located.
The one use case that we have for the "deny" statement so far is
configuring web servers on which somebody might have put erroneous
"allow" authorizations, in case there is a practical attack going
on. I agree that it's a valid concern, but I disagree that it
should lead to a change to the language.
The other use case if your putting a resource on a server that grants
access, but you don't want your particular resource to be accessible
cross domain.
Therefore, I'm essentially proposing that we do not treat this use
case.
This is ultimately a question that the two of us won't solve by
running our heads against each other, either in e-mail or on the
phone. I'd therefore (as I said before) like to hear the opinions
that others hold on this question.
Agreed. I should note that this use case was one that was brought up
during our security review of access-control at mozilla, and one that we
felt needed to be addressed. So it's not just me personally that feel
this way.
/ Jonas
