You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: README.md
+14-14Lines changed: 14 additions & 14 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -368,24 +368,24 @@ All scripts running on the same origin are assumed to be run by the same
368
368
social entity, and so trusted to the same extent.
369
369
370
370
*When an Origin header is present then BOTH the authenticated agent AND
371
-
the origin MUST be allowed access*
371
+
the origin MUST be allowed access.*
372
372
373
-
As both the user and the web app get to read or write (etc) the data, then they most BOTH
374
-
be trusted. This is the algorithm the server must go through.
373
+
As both the user and the web app get to read or write (etc) the data, then they must BOTH
374
+
be trusted. This is the algorithm the server must go through.
375
375
376
-
- If the requested mode is available to the public, then succeed `200 OK` with added CORS headers ACAO and ACAH **
377
-
- If the user is *not* logged on, then fail `401 Unauthenticated`
378
-
- Is the User authenticated is *not* allowed access required, AND the class AuthenticatedAgent is not allowed access, then fail `403 User Unauthorized`
379
-
- If the Origin header is not present, the succeed `200 OK`
380
-
- If the Origin is allowed by the ACL, then succeed `200 OK` with added CORS headers ACAO and ACAH
381
-
- (In future proposed) Look up the owner's webid(s) to check for trusted apps declared there, and if match, succeed `200 OK` with added CORS headers ACAO and ACAH
382
-
- Fail `403 Origin Unauthorized`
376
+
- If the requested mode is available to the public, then succeed `200 OK` with added CORS headers ACAO and ACAH.**
377
+
- If the user is *not* logged on, then fail `401 Unauthenticated`.
378
+
- Is the authenticated user is *not* allowed access, AND the class AuthenticatedAgent is not allowed access, then fail `403 User Unauthorized`.
379
+
- If the Origin header is not present, then succeed `200 OK`.
380
+
- If the Origin is allowed by the ACL, then succeed `200 OK` with added CORS headers ACAO and ACAH.
381
+
- (In future proposed) Look up the owner's webid(s) to check for trusted apps declared there, and if match, succeed `200 OK` with added CORS headers ACAO and ACAH.
382
+
- Fail `403 Origin Unauthorized`.
383
383
384
-
Note it is a really good idea to make it clear both in the text of the status message and in the body of
385
-
the message the difference between the user not being allowed and the web app they are using
386
-
not being trusted.
384
+
Note it is a really good idea to make it clear both in the text of the status message and in the body of
385
+
the message the difference between the user not being allowed and the web app they are using
386
+
not being trusted.
387
387
388
-
** Possible future alternative: Set ACAO header to `"*"` indicating that the document is public. This will though block in the browser any access made using credentials.
388
+
** Possible future alternative: Set ACAO header to `"*"` indicating that the document is public. This will though block in the browser any access made using credentials.
0 commit comments