greptilian logo

IRC log for #rest, 2015-10-02

https://trygvis.io/rest-wiki/

| Channels | #rest index | Today | | Search | Google Search | Plain-Text | plain, newest first | summary

All times shown according to UTC.

Time S Nick Message
03:01 baweaver joined #rest
03:37 fuzzyhorns joined #rest
03:53 huckleberry78 joined #rest
04:19 huckleberry78 joined #rest
05:07 baweaver joined #rest
05:16 huckleberry78 joined #rest
07:24 timg___ joined #rest
07:49 interop_madness joined #rest
08:10 timg___ joined #rest
08:26 DrCode joined #rest
11:10 Coldblackice joined #rest
11:33 timg___ joined #rest
12:26 timg___ joined #rest
12:56 cvander joined #rest
13:11 mezod joined #rest
14:03 timg___ joined #rest
14:28 bluezone joined #rest
14:33 fumanchu_ joined #rest
14:46 woky joined #rest
14:48 woky Hi. I've a public web app where user is authorized to do certain actions upon successful authentication via cookie. Other site can issue the redirect to my site, e.g to http://foo/drop-down-uranium-rods. How can I prevent this? Is it reliable to allow only request where domain in the Referer header matches the domain on which the site is hosted? Is there any other mechanism in HTTP to prevent such malicious red
14:49 woky irects?
14:54 woky I think I've found the relevant reading https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet
15:15 timg___ joined #rest
15:28 woky left #rest
18:24 foist joined #rest
18:43 Coldblackice joined #rest
19:51 CentaurWarchief joined #rest
19:52 CentaurWarchief it's fine to send `Authorization` header in response?
19:52 CentaurWarchief when tue user change its password?
19:52 CentaurWarchief s/tue/the
20:58 whartung what do you mean CentaurWarchief
21:00 CentaurWarchief whartung: aw, forget... it was about sending the new Authorization token using Authorization in response header
21:01 whartung I wouldn't use it for that
21:11 CentaurWarchief whartung: yes, I understand why
21:11 CentaurWarchief I think that it wouldn't be semantic as I see Authorization only acceptable in request headers
21:11 CentaurWarchief like content negotiation headers `Accept-*`
21:12 whartung yea, basically
21:12 CentaurWarchief doesn't make sense sending it in response as it determines how the server should answer the request
21:12 CentaurWarchief or authorize :P
21:13 CentaurWarchief and btw, it doesn't makes sense also because headers (request/response) describes the body
21:13 CentaurWarchief and `Authorization` in response header has no meaning
21:13 whartung yea they're basically meta-data
21:14 CentaurWarchief exactly.. they describe the body
21:14 CentaurWarchief for example:
21:14 CentaurWarchief Content-Type: image/png
21:14 CentaurWarchief you know before reading the body that the content is encoded in png
21:31 fuzzyhorns joined #rest
21:31 fumanchu not all headers are Entity headers, though. some are Transport or General.
21:32 CentaurWarchief fumanchu: yes
21:34 fumanchu although I see now that http-bis dropped that taxonomy
21:37 whartung I haven't really looked at http/2 at all
21:51 CentaurWarchief left #rest
21:54 fuzzyhorns joined #rest
21:55 fuzzyhorns joined #rest
21:58 fuzzyhorns joined #rest

| Channels | #rest index | Today | | Search | Google Search | Plain-Text | plain, newest first | summary

https://trygvis.io/rest-wiki/