Capability systems can turn authorization decisions into parsing decisions, points out Nathaniel Filardo. #SP16
Conversation
Replying to
yeah but is it a good idea? my favorite example here are ips parsed with regex: possible to do mostly correctly, but icky
1
you probably need semantic checks here anyway (no localhost etc); on the parser side you only need to look for digits and dots
1
ofc in a real world system it's more complex: cases like one-off script vs legacy vs you get to design it from the ground up
1
keeping authorization in a parsing decision helps to make it state-independent though, that may be useful in cases