ISSUE-12: IIS and Access-Control-Policy-Path


IIS and Access-Control-Policy-Path

HISTORICAL: CORS [this spec uses Bugzilla for Bug/Issue tracking]
Raised by:
Anne van Kesteren
Opened on:
[[ This issue was created on 2008-06-06 as Issue #25 in the Web Applications Formats (WAF) WG and is copied in totality to the Web Applications WG's Issues database:
<> ]]

IIS servers have an issue in that resources can be addressed by several distinct URIs as explained in this e-mail:

This impacts the design of Access-Control-Policy-Path to some extent. Two proposals have been put forward by members of the WG to address this issue:

A. If a URI (also one given during redirects, etc.) contains the "\.." sequence (or the escaped form) apply the generic network error steps.

B. Warn against using the Access-Control-Policy-Path feature in servers that exhibit this behavior.

Related Actions Items:
No related actions
Related emails:
  1. Re: [cors] Review (from on 2009-06-16)
  2. Re: [cors] Review (from on 2009-06-15)
  3. [access-control] Proposal to Close Issue#12 - IIS and Access-Control-Policy-Path (from on 2008-10-09)
  4. [access-control] Issue list (from on 2008-07-08)
  5. Re: ISSUE-12 (access-control-policy-path): IIS and Access-Control-Policy-Path [Access Control] (from on 2008-06-23)
  6. ISSUE-12 (access-control-policy-path): IIS and Access-Control-Policy-Path [Access Control] (from on 2008-06-23)

Related notes:

Closed. See:

Arthur Barstow, 21 Oct 2008, 16:04:04

Display change log ATOM feed

Chair, Staff Contact
Tracker: documentation, (configuration for this group), originally developed by Dean Jackson, is developed and maintained by the Systems Team <>.
$Id: 12.html,v 1.1 2016/01/25 10:26:13 carine Exp $