You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
@@ -351,12 +352,14 @@ and then later restrict access to that group, to prevent spam.
351
352
352
353
### Referring to Origins, i.e. Web Apps
353
354
355
+
354
356
When a compliant server receives a request from a web application running
355
-
in a browser, the brrowser will send an extra warning HTTP header, the Origin header.
357
+
in a browser, the browser will send an extra warning HTTP header, the Origin header.
356
358
357
359
```
358
360
Origin: https://scripts.example.com:8080
359
361
```
362
+
(For background, see also [Backgrounder on Same Origin Policy and CORS](https://sold.github.io/web-access-control-spec/Background))
360
363
Note that the origin comprises the protocol and the DNS and port but none of the path,
361
364
and no trailing slash.
362
365
All scripts running on the same origin are assumed to be run by the same
@@ -365,21 +368,23 @@ social entity, and so trusted to the same extent.
365
368
*When an Origin header is present then BOTH the authenticated agent AND
366
369
the origin MUST be allowed access*
367
370
368
-
As both the user and the web app get to read or write the data, then they most BOTH
369
-
be trusted.
371
+
As both the user and the web app get to read or write (etc) the data, then they most BOTH
372
+
be trusted. This is the algorithm the server must go through.
370
373
371
-
- If the requested mode is available to the public, then suceed`200 OK`.
374
+
- If the requested mode is available to the public, then succeed`200 OK` with added CORS headers ACAO and ACAH **
372
375
- If the user is *not* logged on, then fail `401 Unauthenticated`
373
376
- Is the User authenticated is *not* allowed access required, AND the class AuthenticatedAgent is not allowed access, then fail `403 User Unauthorized`
374
377
- If the Origin header is not present, the succeed `200 OK`
375
378
- If the Origin is allowed by the ACL, then succeed `200 OK` with added CORS headers ACAO and ACAH
376
-
- (In future proposed) Look up the user's webid to check for trusted apps declared there, and if match, succeed `200 OK`
379
+
- (In future proposed) Look up the owner's webid(s) to check for trusted apps declared there, and if match, succeed `200 OK` with added CORS headers ACAO and ACAH
377
380
- Fail `403 Origin Unauthorized`
378
381
379
382
Note it is a really good idea to make it clear both in the text of the status message and in the body of
380
383
the message the difference between the user not being allowed and the web app they are using
381
384
not bing trusted.
382
385
386
+
** Possible future alternative: Set ACAO header to `"*"` indicating that the document is public. This will though block in the browser any access made using credentials.
387
+
383
388
#### Adding trusted web apps.
384
389
385
390
The authorization of trusted web app is a running battle between readers and writers on the web, and manevalent parties trying to break in to get unauthorized access. The history or Cross-Site Scripting attacks and the introduction of the Same Origin Policy is not detailed here, The CORS specification in general prevents any web app from accessing any data from or associated with a different origin. The web server can get around CORS. It is a pain to to do so, as it involves the server code echoing back the Orin header in the ACAO header, and also it must be done only when the web app in question actually is trustworthy.
0 commit comments