I am developing an application that manages access permissions (read/write) to a user’s resources by creating/editing acl files.
It works well to restrict users using their webId but I can’t limit the applications that can be used by authorized users.
Here is the acl file used:
# ACL resource for /myTestContainer/ @prefix acl: <http://www.w3.org/ns/auth/acl#>. <#owner> a acl:Authorization; acl:agent <https://hyuryu.solid.community/profile/card#me>; # Only scripts from this domain can control resources acl:origin <https://hyuryu.inrupt.net>; # Set the access to the PIMS folder itself acl:accessTo </myTestContainer/>; # All resources will inherit this authorization, by default acl:default </myTestContainer/>; # The owner has all of the access modes allowed acl:mode acl:Read, acl:Write, acl:Control.
Although an origin is specified in the acl file, I can access the resource by hosting the application elsewhere (on another user’s POD for example). Moreover, the “origin” header is correctly indicated by the browser when sending the request.
Did I miss something?