IRC log for #rest, 2015-10-02

https://trygvis.io/rest-wiki/

← Previous day | Channels | #rest index | Today | Next day → | Search | Google Search | Plain-Text | plain, newest first | summary

All times shown according to UTC.

Time	S	Nick	Message
03:01			baweaver joined #rest
03:37			fuzzyhorns joined #rest
03:53			huckleberry78 joined #rest
04:19			huckleberry78 joined #rest
05:07			baweaver joined #rest
05:16			huckleberry78 joined #rest
07:24			timg___ joined #rest
07:49			interop_madness joined #rest
08:10			timg___ joined #rest
08:26			DrCode joined #rest
11:10			Coldblackice joined #rest
11:33			timg___ joined #rest
12:26			timg___ joined #rest
12:56			cvander joined #rest
13:11			mezod joined #rest
14:03			timg___ joined #rest
14:28			bluezone joined #rest
14:33			fumanchu_ joined #rest
14:46			woky joined #rest
14:48		woky	Hi. I've a public web app where user is authorized to do certain actions upon successful authentication via cookie. Other site can issue the redirect to my site, e.g to http://foo/drop-down-uranium-rods. How can I prevent this? Is it reliable to allow only request where domain in the Referer header matches the domain on which the site is hosted? Is there any other mechanism in HTTP to prevent such malicious red
14:49		woky	irects?
14:54		woky	I think I've found the relevant reading https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet
15:15			timg___ joined #rest
15:28			woky left #rest
18:24			foist joined #rest
18:43			Coldblackice joined #rest
19:51			CentaurWarchief joined #rest
19:52		CentaurWarchief	it's fine to send `Authorization` header in response?
19:52		CentaurWarchief	when tue user change its password?
19:52		CentaurWarchief	s/tue/the
20:58		whartung	what do you mean CentaurWarchief
21:00		CentaurWarchief	whartung: aw, forget... it was about sending the new Authorization token using Authorization in response header
21:01		whartung	I wouldn't use it for that
21:11		CentaurWarchief	whartung: yes, I understand why
21:11		CentaurWarchief	I think that it wouldn't be semantic as I see Authorization only acceptable in request headers
21:11		CentaurWarchief	like content negotiation headers `Accept-*`
21:12		whartung	yea, basically
21:12		CentaurWarchief	doesn't make sense sending it in response as it determines how the server should answer the request
21:12		CentaurWarchief	or authorize :P
21:13		CentaurWarchief	and btw, it doesn't makes sense also because headers (request/response) describes the body
21:13		CentaurWarchief	and `Authorization` in response header has no meaning
21:13		whartung	yea they're basically meta-data
21:14		CentaurWarchief	exactly.. they describe the body
21:14		CentaurWarchief	for example:
21:14		CentaurWarchief	Content-Type: image/png
21:14		CentaurWarchief	you know before reading the body that the content is encoded in png
21:31			fuzzyhorns joined #rest
21:31		fumanchu	not all headers are Entity headers, though. some are Transport or General.
21:32		CentaurWarchief	fumanchu: yes
21:34		fumanchu	although I see now that http-bis dropped that taxonomy
21:37		whartung	I haven't really looked at http/2 at all
21:51			CentaurWarchief left #rest
21:54			fuzzyhorns joined #rest
21:55			fuzzyhorns joined #rest
21:58			fuzzyhorns joined #rest

← Previous day | Channels | #rest index | Today | Next day → | Search | Google Search | Plain-Text | plain, newest first | summary

https://trygvis.io/rest-wiki/