Hacker News new | past | comments | ask | show | jobs | submit login

I'm not sure I understand the concern here. Typically there is a logged-in user, and server asks Zanzibar if the user can or cannot access some document. Whether a certain document exists or not isn't typically a secret i.e. you might get HTTP 403 (forbidden) or 404 depending on whether or not the document exists.



Please see my other comment: https://news.ycombinator.com/item?id=26983342

My concern isn't access to single objects, but rather filtering of complex search results.


This very much depends. GitHub for example will return 404 for a private repository when you are logged out. The idea is balancing HTTP semantics with information leaking.


Does the 404 a logged out repo return in the same amount of time as a repo that doesn't truly exist?




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: