Skip to content

Commit a71580b

Browse files
kjetilkkjetilk
authored
Merge pull request #56 from michielbdejong/update-trustedApps
Document current acl:trustedApp system
2 parents 40d733d + 35e4da8 commit a71580b

File tree

1 file changed

+5
-7
lines changed

1 file changed

+5
-7
lines changed

README.md

Lines changed: 5 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -389,17 +389,15 @@ the origin MUST be allowed access*
389389

390390
#### Adding trusted web apps.
391391

392+
** NB: this feature was only added recently and is still consider experimental. It's likely to change in the near future. **
393+
392394
The authorization of trusted web app is a running battle between readers and writers on the web, and malevolent parties trying to break in to get unauthorized access. The history or Cross-Site Scripting attacks and the introduction of the Same Origin Policy is not detailed here, The CORS specification in general prevents any web app from accessing any data from or associated with a different origin. The web server can get around CORS. It is a pain to to do so, as it involves the server code echoing back the Origin header in the ACAO header, and also it must be done only when the web app in question actually is trustworthy.
393395

394396
In solid a maxim is, you have complete control of he data. Therefore it is up to the owner of the data, the publisher, the controller of the ACL, or more broadly the person running the solid server, to specify who gets access, be it people or apps. However another maxim is that you can chose which app you use. So of Alice publishes data, and Bob want to use his favorite app, then how does that happen?
395397

396-
##### Now:
397-
398-
- The web server can run with a given trusted domain created by the solid developers.
399-
- A specific ACL can be be made to allow a given app to access a given file or folder of files.
400-
401-
##### Possible future:
402-
- A writer could give in their profile a statement that they will allow readers to use a given app.
398+
- A Web server MAY be configured such that a given list of origins is unconditionally trusted for incoming HTTP requests. The origin check is then bypassed for these domains, but all other access control mechanisms remain active.
399+
- A specific ACL can be made to allow a given app to access a given file or folder of files, using `acl:origin`.
400+
- Someone with `acl:Control` access to the resource could give in their profile a statement that they will allow users to use a given app.
403401

404402
```
405403
<#me> acl:trustedApp [ acl:origin <https://calendar.example.com>;

0 commit comments

Comments
 (0)