anishathalye
commented
9 years ago CC @devd
Open anishathalye opened 9 years ago
anishathalye
commented
9 years ago CC @devd
mikewest
commented
9 years ago +@randomdross
With the current spec, it's easy to apply EPR to protect an application living at a domain. For example, if someone wanted to use EPR to protect an admin console living at
admin.example.com, that would be be straightforward to do.Some websites deploy applications at specific paths rather than subdomains. For example, an admin console might live at
www.example.com/admin. Especially when rolling out EPR gradually, it's really handy to be able to apply the policy to a base URL rather than an entire site (domain).As the spec currently is, it's possible to do this, but it's pretty clunky and doesn't scale well to protecting multiple applications living at different paths on the same domain. Keeping the policies separate for these unrelated applications seems like a much cleaner way of doing this.
Is this something we want to do, having a mechanism for having EPR policies apply to paths rather than entire domains? And if yes, what's the best mechanism for doing so?