Phil Archer wrote:
Jonas Sicking wrote:
[..]
This sounds good to me. With that I would be more happy with saying
that *.foo.com should match only www.foo.com but not foo.com. That
would make it intuitive with rules like:
allow <foo.com> exclude <*.foo.com>
and
allow <foo.com> exclude <users.foo.com>
I'm not sure I see much use for the '?' syntax suggested. What
situations would that help, and are they very common?
OK, forget the ? notation. Your examples are very clear and we seem in
full alignment that <foo.com> includes sub domains but <*.foo.com>
wouldn't include foo.com itself.
Sounds great. What do other people think of switching to this syntax?
The difference from the current spec would be to change
Otherwise, apply these set of steps to the next list item of both origin
list and item list. If either of them has no next list item there is no
match (terminate the overall algorithm.) If both no longer have a next
list item go to the next step in the overall set of steps.
to
Otherwise, apply these set of steps to the next list item of both origin
list and item list. If the origin list has no next list item there is no
match (terminate the overall algorithm.) If the item list no longer have
a next list item go to the next step in the overall set of steps.
The short answer is that I doubt it, simply because the work required to
make it so is unlikely to be justified by the use cases. In theory, yes,
a Resource Set, in the sense POWDER means, could be useful in access
control. So one might have a Resource Set like:
<wdr:ResourceSet rdf:ID="RS1">
<wdr:includeHosts>example.org example.com</wdr:includeHosts.
<wdr:excludePathStartsWith>/sandbox</wdr:excludePathStartsWith>
</wdr:ResourceSet>
Linking to this RS in an access control header would grant access to
requests from anywhere on example.org and .net except where the path of
the requesting URI began with /sandbox. But you can't (sensibly) put all
that in an HTTP Header, you'd have to put the URI of the Resource Set
from which access was allowed exactly where right now an Access Control
Header has actual data, so we'd have something very much like an HTTP
Link Header:
Content-Access-Control: allow
<http://www.example.net/resourceset.rdf#RS1> type="application/rdf+xml"
which is well outside what WAF has in mind.
Yeah, I think this is much more complicated than what the current spec
does, without really providing much extra value.
/ Jonas
