From a POWDER perspective therefore, the default position is that
example.org matches both www.example.org and example.org. What this
discussion has made me realise is that we need to be explicit in our
documentation that it DOES NOT match badexample.org - i.e. a different
domain altogether.
Like WAF, we have an exclude method as well so we can say:
<wdr:includeHosts>example.org example.com</wdr:includeHosts>
<wdr:excludeHosts>private.example.org</wdr:excludeHosts>
(which means everything on example.org and example.com except resources
on private.example.org). The assumption being that someone describing a
load of content would know what they wanted to leave out.
So the general approach has been, as ever, that simple things will be
simple (we own example.com so that's the scope of this description) but
that complex situations can also be handled (you can write a Reg Ex if
you need to)
This sounds good to me. With that I would be more happy with saying that
*.foo.com should match only www.foo.com but not foo.com. That would make
it intuitive with rules like:
allow <foo.com> exclude <*.foo.com>
and
allow <foo.com> exclude <users.foo.com>
I'm not sure I see much use for the '?' syntax suggested. What
situations would that help, and are they very common?
As for Jonas' other point - what else could/should we share. Well,
access control is clearly an application of what we're doing, whether
that's in terms of licensing or my own area of child protection. I guess
it's a question of use cases.
Not sure I follow you here. My question is, are there any concrete parts
of respective specs that would make sense to share? Other than the URI
syntax? Could access-control be implemented using POWDER even, and if
so, what would the resulting syntax be for an author publishing
shareable documents on his website?
Best Regards
/ Jonas Sicking
