Use acl files to limit applications that can access a resource (using acl:origin)


I am developing an application that manages access permissions (read/write) to a user’s resources by creating/editing acl files.

It works well to restrict users using their webId but I can’t limit the applications that can be used by authorized users.

Here is the acl file used:

# ACL resource for /myTestContainer/
@prefix acl: <>.

	a acl:Authorization;

	acl:agent <>;
	# Only scripts from this domain can control resources
	acl:origin <>;

	# Set the access to the PIMS folder itself
	acl:accessTo </myTestContainer/>;

	# All resources will inherit this authorization, by default
	acl:default </myTestContainer/>;

	# The owner has all of the access modes allowed
		acl:Read, acl:Write, acl:Control.

Although an origin is specified in the acl file, I can access the resource by hosting the application elsewhere (on another user’s POD for example). Moreover, the “origin” header is correctly indicated by the browser when sending the request.

Did I miss something?


This feature was mentioned as “Possible future”. See So it is not implemented yet AFAIK.

Version 4.x of the NSS server does not implement access control on apps. Version 5.x does. The spec items labeled as “possible future”, specifically the use of acl:trustedApps has also been implemented in 5.x, it is no longer a “future” feature, it already exists. So if you are testing on the current or servers , they are 4.x and you will not be able to test ACL control of apps. Currently the only publicly accessible 5.x server I know about is at - it does implement app access control.


Indeed acl:trustedapp and acl:origin seems to work as I expected on
Thank you!