Jonas Sicking wrote:
[..]
This sounds good to me. With that I would be more happy with saying that
*.foo.com should match only www.foo.com but not foo.com. That would make
it intuitive with rules like:
allow <foo.com> exclude <*.foo.com>
and
allow <foo.com> exclude <users.foo.com>
I'm not sure I see much use for the '?' syntax suggested. What
situations would that help, and are they very common?
OK, forget the ? notation. Your examples are very clear and we seem in
full alignment that <foo.com> includes sub domains but <*.foo.com>
wouldn't include foo.com itself.
[..]
My question is, are there any concrete parts
of respective specs that would make sense to share? Other than the URI
syntax? Could access-control be implemented using POWDER even, and if
so, what would the resulting syntax be for an author publishing
shareable documents on his website?
The short answer is that I doubt it, simply because the work required to
make it so is unlikely to be justified by the use cases. In theory, yes,
a Resource Set, in the sense POWDER means, could be useful in access
control. So one might have a Resource Set like:
<wdr:ResourceSet rdf:ID="RS1">
<wdr:includeHosts>example.org example.com</wdr:includeHosts.
<wdr:excludePathStartsWith>/sandbox</wdr:excludePathStartsWith>
</wdr:ResourceSet>
Linking to this RS in an access control header would grant access to
requests from anywhere on example.org and .net except where the path of
the requesting URI began with /sandbox. But you can't (sensibly) put all
that in an HTTP Header, you'd have to put the URI of the Resource Set
from which access was allowed exactly where right now an Access Control
Header has actual data, so we'd have something very much like an HTTP
Link Header:
Content-Access-Control: allow
<http://www.example.net/resourceset.rdf#RS1> type="application/rdf+xml"
which is well outside what WAF has in mind.
We do see POWDER being used to grant/deny access to content to
individual users (or groups of users) for a variety of reasons but not
in the way envisaged here.
Cheers
Phil.
