Does anyone have any documentation on DotNetOpenAuth and the way it handles while lists and black lists?
My config
<untrustedWebRequest>
<blacklistHosts>
<add name="*" />
</blacklistHosts>
<whitelistHosts>
<add name="www.mysite.ca" />
<add name="mysite.ca" />
<add name="devel.mysite.ca" />
<add name="devel.mysite.com" />
<add name="mysite.com" />
<add name="www.mysite.com" />
</whitelistHosts>
</untrustedWebRequest>
What I want is to have it cancel the request if it's any site not in the whilelist. I'm currently running version 2.5.49045 but plan to update soon.
using
<blacklistHostsRegex>
<add name=".*" />
</blacklistHostsRegex>
blocked ever site even ones in the whitelist.
The logic that processes the whitelist and blacklist is like so:
DotNetOpenId/DotNetOpenAuth already has some intuition about some safe and unsafe host names. So it will block some and allow others without you setting anything in these lists. The lists are to override this behavior.
A host that's on the blacklist will (almost) never get through (the exception being if it looks unsafe anyway AND it's on the whitelist).
If you want to blacklist everything except a specific set of hosts, I think your best bet is to use just the blacklist, and do a regex "not" match:
<untrustedWebRequest>
<blacklistHostsRegex>
<add name="^(?!www.mysite.ca|www.mysite.com|devel.mysite.com)$" />
</blacklistHostsRegex>
</untrustedWebRequest>
This seems a bit convoluted. But it will work in present versions of DotNetOpenId/DotNetOpenAuth. And going forward, I'll get this fixed to be something much more obvious.