Use acl files to limit applications that can access a resource (using acl:origin)


#1

Hi,

I am developing an application that manages access permissions (read/write) to a user’s resources by creating/editing acl files.

It works well to restrict users using their webId but I can’t limit the applications that can be used by authorized users.

Here is the acl file used:

# ACL resource for /myTestContainer/
@prefix acl: <http://www.w3.org/ns/auth/acl#>.

<#owner>
	a acl:Authorization;

	acl:agent <https://hyuryu.solid.community/profile/card#me>;
	
	# Only scripts from this domain can control resources
	acl:origin <https://hyuryu.inrupt.net>;

	# Set the access to the PIMS folder itself
	acl:accessTo </myTestContainer/>;

	# All resources will inherit this authorization, by default
	acl:default </myTestContainer/>;

	# The owner has all of the access modes allowed
	acl:mode
		acl:Read, acl:Write, acl:Control.

Although an origin is specified in the acl file, I can access the resource by hosting the application elsewhere (on another user’s POD for example). Moreover, the “origin” header is correctly indicated by the browser when sending the request.

Did I miss something?


#2

This feature was mentioned as “Possible future”. See https://github.com/solid/web-access-control-spec#possible-future. So it is not implemented yet AFAIK.


#3

Version 4.x of the NSS server does not implement access control on apps. Version 5.x does. The spec items labeled as “possible future”, specifically the use of acl:trustedApps has also been implemented in 5.x, it is no longer a “future” feature, it already exists. So if you are testing on the current inrupt.net or solid.community servers , they are 4.x and you will not be able to test ACL control of apps. Currently the only publicly accessible 5.x server I know about is at https://solidweb.org/ - it does implement app access control.


#4

Indeed acl:trustedapp and acl:origin seems to work as I expected on solidweb.org.
Thank you!