All WML decks are public by default. Whenever you access a URL, you gain access to any variables it uses, creating a potential security risk. To control this risk, you can define access control rules on a per-deck basis. To specify which decks (in other words, URLs) can access a particular deck, you must specify an <access>
statement in the deck header. The following is a synopsis of the <access>
element:
domain
" path="path
"/>
The default access control settings allow all decks (URLs) in the same domain to access your deck. You generally do not need to change the default settings unless:
home/index
). In this case, you must make your deck bookmarkable (see Letting users bookmark your service on page 50 for more information).
When you specify values for these attributes, the UP.Browser compares those values to the URL of the requesting deck. The domain
and path
attributes are inclusive, meaning that the requesting deck must match both values in order to access the deck.
NOTE
You cannot specify multiple values for either the domain
or path
attributes. You must specify domain=".com"
if you want to grant access to more than one domain (for example, both sun.com
and microsoft.com
). Similarly, you must specify path="/"
to grant access to both the /foo
and /bar
directories.
The following table summarizes the effects of specifying different values for the domain
and path
attributes for a deck located at http://my.com/deck.wml
:
When you specify a domain
value, the UP.Browser performs a literal string match between the domain of the requesting deck and that value--it does not resolve names or aliases into canonical domain names. For example, if you specify domain="204.163.167.193"
for your deck, a deck in the domain devgate2.uplanet.com
will not have access to your deck, even if devgate2.uplanet.com
is an alias for 204.163.167.193
. In this case, the UP.Browser must have loaded the requesting deck from the URL http://204.163.167.193/
path
in order for it to access your deck.
As illustrated in Figure 2-7, the default access control settings let you navigate from your deck to any other URL in the same domain.
Figure 2-7. Navigating between decks in the same domain
The UP.Browser displays an error message, however, if you try to navigate to a deck in a different domain (see Figure 2-8).
Figure 2-8. Error navigating between decks in different domains
NOTE
Pressing the OPTIONS
key displays the message Access Control Error
.
In order for deck1.wml
to access deck2.wml
in this example, you must use the domain
attribute to grant access to mydomain.com
(as shown below).
Figure 2-9. Allowing navigation between decks in different domains