Time  Nick            Message
14:48 woky            Hi. I've a public web app where user is authorized to do certain actions upon successful authentication via cookie. Other site can issue the redirect to my site, e.g to http://foo/drop-down-uranium-rods. How can I prevent this? Is it reliable to allow only request where domain in the Referer header matches the domain on which the site is hosted? Is there any other mechanism in HTTP to prevent such malicious red
14:49 woky            irects?
14:54 woky            I think I've found the relevant reading https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet
19:52 CentaurWarchief it's fine to send `Authorization` header in response?
19:52 CentaurWarchief when tue user change its password?
19:52 CentaurWarchief s/tue/the
20:58 whartung        what do you mean CentaurWarchief
21:00 CentaurWarchief whartung: aw, forget... it was about sending the new Authorization token using Authorization in response header
21:01 whartung        I wouldn't use it for that
21:11 CentaurWarchief whartung: yes, I understand why
21:11 CentaurWarchief I think that it wouldn't be semantic as I see Authorization only acceptable in request headers
21:11 CentaurWarchief like content negotiation headers `Accept-*`
21:12 whartung        yea, basically
21:12 CentaurWarchief doesn't make sense sending it in response as it determines how the server should answer the request
21:12 CentaurWarchief or authorize :P
21:13 CentaurWarchief and btw, it doesn't makes sense also because headers (request/response) describes the body
21:13 CentaurWarchief and `Authorization` in response header has no meaning
21:13 whartung        yea they're basically meta-data
21:14 CentaurWarchief exactly.. they describe the body
21:14 CentaurWarchief for example:
21:14 CentaurWarchief Content-Type: image/png
21:14 CentaurWarchief you know before reading the body that the content is encoded in png
21:31 fumanchu        not all headers are Entity headers, though. some are Transport or General.
21:32 CentaurWarchief fumanchu: yes
21:34 fumanchu        although I see now that http-bis dropped that taxonomy
21:37 whartung        I haven't really looked at http/2 at all