-
Notifications
You must be signed in to change notification settings - Fork 5
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Feature: add tests for 'Origin' header #16
Comments
Correct! I just totally forgot to write those. We don't need to test for the @prefix : <#>.
@prefix n0: <http://www.w3.org/ns/auth/acl#>.
@prefix priv: <./>.
@prefix c: </profile/card#>.
:ControlReadWrite
a n0:Authorization;
n0:accessTo priv:;
n0:agent c:me;
n0:default priv:;
n0:mode n0:Control, n0:Read, n0:Write.
:Read
a n0:Authorization;
n0:accessTo priv:;
n0:default priv:;
n0:mode n0:Read;
n0:origin <https://chat.inrupt.app>. which is the ACL of my private folder, means that I have:
So the authorizations add up, and you need to be authorized for both your identity and (if you come cross-origin) for your origin. |
So to make sure I understand, the origin authorization applies to all agent authorizations in the same ACL. There is no need to specify any agent in the origin authorization. This is what you mean by saying they add up. So if we added an authorization for the agent Bob to read this folder, then he would also only be able to do that from origin https://chat.inrupt.app. |
Ah wait, now I'm not sure anymore. It could either by that you need >=1 authorization for your origin and >=1 for your webid, but it could also be that you need >=1 authorization that combines the two in a single authorization. https://github.com/solid/web-access-control-spec says "If the Origin is allowed by [any authorization in] the ACL" so that would imply "If the Origin is allowed by [any authorization in] the ACL", not necessarily "If the Origin is allowed by [that same authorization in] the ACL". But to play it safe you could create two tests:
@csarven do you think that is correct? Is there anything you want to add? |
Just for clarification, consider the following acl rules:
The grants from the acl file are: So combined with the origin, this would be:
With origin chat.app:
With origin another-chat.app:
Is this the right interpretation? |
There are currently no checks for this part of the spec:
http://solid.github.io/web-access-control-spec/#referring-to-origins-ie-web-apps
The text was updated successfully, but these errors were encountered: