Commits on Mar 10, 2021

1. Allow ACL doc discovery without acl:Control …

   This is a spec change proposal.
   
   ### Practical Reason
   Most current implementations of Solid allow ACL doc discovery without acl:Control.
   For instance, NSS and CSS just add `.acl` and ESS adds `?ext=acl`.
   It would be a lot of work (including data migration on all existing servers) to change that.
   
   ### Simplicity Reason
   Using a predictable scheme makes the life of the server developer easier.
   Also, reporting the `Link` header in for instance OPTIONS makes it easier
   to discover if a server *supports* WAC at all, which is useful both to app
   developers and to end-users of apps. You can then see "ah, there is an ACL
   link but I don't have access", rather than being kept in the dark about it altogether.
   
   ### Reasons against it
   * If the ACL doc URL is predictable, there is a real risk that app developers skip
   the discovery and just guess it. However, now that different servers already
   use different schemes, I don't think many app developers will do this anymore.
   
   * If the ACL doc URL is predictable, it might give an attacker a leg up (help them
   overcome the first barrier). The could then for instance try to brute-force their
   way into the ACL doc. However, if they can brute-force their way into `acl:Control`
   then they would maybe also be able to use that technique to break the barrier to
   discovery.

   

   michielbdejong authored Mar 10, 2021
   Configuration menu

   • View commit details
   • Copy full SHA for 4639a5d
   • Browse repository at this point

   Copy the full SHA

   4639a5d View commit details

   Browse the repository at this point in the history

2. Leave it up to the server implementer

   

   michielbdejong authored Mar 10, 2021
   Configuration menu

   • View commit details
   • Copy full SHA for b3c45ef
   • Browse repository at this point

   Copy the full SHA

   b3c45ef View commit details

   Browse the repository at this point in the history