Anne van Kesteren wrote:
On Wed, 06 Feb 2008 12:08:15 +0100, Jonas Sicking <[EMAIL PROTECTED]> wrote:
Note that this isn't a problem with 'deny' rules. The exact same
problem is there if OPTIONS requests to /dir/B doesn't return any AC
headers at all. Just wanted the example to be more specific.
I don't quite get the concern. Under what circumstances can author A
control /dir/ and /dir/A and not /dir/B? Could you elaborate some more
on the specific details?
So keeping with the two concerns I had in my initial mail:
1 is showing that we're introducing ordering issues given a certain
configuration. Just the sheer fact that ordering issues can arise is IMO
bad and is likely to occationally lead to servers with the wrong setup.
It definitely makes checking what policy is applying to a resource much
more complicated as you have to look at the headers both for the
resource itself, and for all its parent directories. Even if the
resource doesn't include a Access-Control-Policy-Path header. This makes
us much worse at complying with requirement 13.
Regarding 2, I'm not really sure if such scenarios are common, no.
/ Jonas
