<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<HTML>
<HEAD>
<TITLE> [99s-extend] Cowboy Calling Hostname
</TITLE>
<LINK REL="Index" HREF="index.html" >
<LINK REL="made" HREF="mailto:extend%40lists.ninenines.eu?Subject=Re%3A%20%5B99s-extend%5D%20Cowboy%20Calling%20Hostname&In-Reply-To=%3C9CEDE09F-E3AF-47FB-95B4-6550000B4CE7%40gmail.com%3E">
<META NAME="robots" CONTENT="index,nofollow">
<style type="text/css">
pre {
white-space: pre-wrap; /* css-2.1, curent FF, Opera, Safari */
}
</style>
<META http-equiv="Content-Type" content="text/html; charset=us-ascii">
<LINK REL="Previous" HREF="000266.html">
<LINK REL="Next" HREF="000268.html">
</HEAD>
<BODY BGCOLOR="#ffffff">
<H1>[99s-extend] Cowboy Calling Hostname</H1>
<B>Lee Sylvester</B>
<A HREF="mailto:extend%40lists.ninenines.eu?Subject=Re%3A%20%5B99s-extend%5D%20Cowboy%20Calling%20Hostname&In-Reply-To=%3C9CEDE09F-E3AF-47FB-95B4-6550000B4CE7%40gmail.com%3E"
TITLE="[99s-extend] Cowboy Calling Hostname">lee.sylvester at gmail.com
</A><BR>
<I>Thu Oct 10 08:05:23 CEST 2013</I>
<P><UL>
<LI>Previous message: <A HREF="000266.html">[99s-extend] Cowboy Calling Hostname
</A></li>
<LI>Next message: <A HREF="000268.html">[99s-extend] SSL Example
</A></li>
<LI> <B>Messages sorted by:</B>
<a href="date.html#267">[ date ]</a>
<a href="thread.html#267">[ thread ]</a>
<a href="subject.html#267">[ subject ]</a>
<a href="author.html#267">[ author ]</a>
</LI>
</UL>
<HR>
<!--beginarticle-->
<PRE>Thank you, Daniel. The project looks very useful. At this stage, I don't need to strictly require calls to come from a set domain but would like this to be a hurdle for hackers. I may set up an IP restriction instead.
Thanks,
Lee
Sent from my iPhone
><i> On Oct 10, 2013, at 12:03 AM, Daniel White <<A HREF="https://lists.ninenines.eu/listinfo/extend">daniel at whitehouse.id.au</A>> wrote:
</I>><i>
</I>><i> Depending on your requirements, there is a high likelihood that you
</I>><i> need to support pre-flight requests. Especially if you're intending
</I>><i> on providing credentials in the requests. Many of the interesting
</I>><i> headers are not simple headers (for CORS) and require a handshake
</I>><i> first between browser and server to ensure the headers in question are
</I>><i> allowed to be sent.
</I>><i>
</I>><i> This obviously limits the amount of information you can determine
</I>><i> about the caller. One alternative here, is the use of OAuth2 with the
</I>><i> 'access_token' query parameter. This can be sent along with the
</I>><i> pre-flight request.
</I>><i>
</I>><i> On the other hand, some providers (Github, IIRC) will simply validate
</I>><i> a CORS request by comparing the 'Origin' against their entire list of
</I>><i> registered origins. This opens up some opportunity for abuse by other
</I>><i> clients in the system, but can be further mitigated by enforcing the
</I>><i> 'Origin' more strictly at the authorization step of the request.
</I>><i>
</I>><i> As an aside, I have a cowboy middleware project to do the heavy
</I>><i> lifting for CORS at <A HREF="https://github.com/danielwhite/cowboy_cors.">https://github.com/danielwhite/cowboy_cors.</A>
</I>><i> Business policies can be implemented by means of a callback module.
</I>><i>
</I>><i> Cheers,
</I>><i>
</I>><i>
</I>>><i> On Thu, Oct 10, 2013 at 4:28 AM, Lee Sylvester <<A HREF="https://lists.ninenines.eu/listinfo/extend">lee.sylvester at gmail.com</A>> wrote:
</I>>><i> Essentially, the REST service endpoint would be on widgets.net while the
</I>>><i> clients website, in this case things.com, has a JavaScript that makes an
</I>>><i> AJAX call to widgets.net. The account on widgets.net for things.com will
</I>>><i> have the things.com domain registered to its account, so that widgets.net
</I>>><i> can check to see if the request is coming from an expected domain.
</I>>><i>
</I>>><i> Thanks,
</I>>><i> Lee
</I>>><i>
</I>>><i>
</I>>><i> On 9 Oct 2013, at 16:51, Nathan Michaels <<A HREF="https://lists.ninenines.eu/listinfo/extend">nathan at nmichaels.org</A>> wrote:
</I>>><i>
</I>>><i> Is the client making the request to your service on widgets.net because
</I>>><i> things.com sent them there, or is things.com making the request directly on
</I>>><i> behalf of the client? The first is what Loïc is talking about. The second is
</I>>><i> the source IP of the request, which you can definitely get.
</I>>><i>
</I>>><i>
</I>>>><i> On Wed, Oct 9, 2013 at 11:32 AM, Loïc Hoguin <<A HREF="https://lists.ninenines.eu/listinfo/extend">essen at ninenines.eu</A>> wrote:
</I>>>><i>
</I>>>><i> In short: you can't.
</I>>>><i>
</I>>>><i> Browsers may send origin/referer/.. headers depending on the type of
</I>>>><i> request, but you can't rely on them to be real or even just there.
</I>>>><i>
</I>>>><i>
</I>>>>><i> On 10/09/2013 05:30 PM, Lee Sylvester wrote:
</I>>>>><i>
</I>>>>><i> Thank you. I couldn't work out if that's the host being called from or
</I>>>>><i> the host name in the request. For example, a store called things.com makes
</I>>>>><i> a request to my service on widgets.net. I need to see that the request is
</I>>>>><i> made FROM things.com for validation purposes. Is it correct that host will
</I>>>>><i> provide this?
</I>>>>><i>
</I>>>>><i> Thanks,
</I>>>>><i> Lee
</I>>>>><i>
</I>>>>><i> Sent from my iPhone
</I>>>>><i>
</I>>>>>><i> On Oct 9, 2013, at 2:31 PM, Loïc Hoguin <<A HREF="https://lists.ninenines.eu/listinfo/extend">essen at ninenines.eu</A>> wrote:
</I>>>>>><i>
</I>>>>>><i> cowboy_req:host/1?
</I>>>>>><i>
</I>>>>>><i> Please use the nice manual we have now.
</I>>>>>><i>
</I>>>>>><i> <A HREF="http://ninenines.eu/docs/en/cowboy/HEAD/manual/cowboy_req">http://ninenines.eu/docs/en/cowboy/HEAD/manual/cowboy_req</A>
</I>>>>>><i>
</I>>>>>>><i> On 10/09/2013 03:27 PM, Lee Sylvester wrote:
</I>>>>>>><i> Hi,
</I>>>>>>><i>
</I>>>>>>><i> When receiving a Cowboy request, is there a way to find out which
</I>>>>>>><i> hostname the user made the request from? I'm using CORS in my REST and
</I>>>>>>><i> Bullet app, where each call can be made through a given account. However,
</I>>>>>>><i> I'd like to be able to lock requests for each account to a designated
</I>>>>>>><i> hostname to protect that users account usage.
</I>>>>>>><i>
</I>>>>>>><i> Thanks,
</I>>>>>>><i> Lee
</I>>>>>>><i>
</I>>>>>>><i> _______________________________________________
</I>>>>>>><i> Extend mailing list
</I>>>>>>><i> <A HREF="https://lists.ninenines.eu/listinfo/extend">Extend at lists.ninenines.eu</A>
</I>>>>>>><i> <A HREF="http://lists.ninenines.eu:81/listinfo/extend">http://lists.ninenines.eu:81/listinfo/extend</A>
</I>>>>>><i>
</I>>>>>><i>
</I>>>>>><i>
</I>>>>>><i> --
</I>>>>>><i> Loïc Hoguin
</I>>>>>><i> Erlang Cowboy
</I>>>>>><i> Nine Nines
</I>>>>>><i> <A HREF="http://ninenines.eu">http://ninenines.eu</A>
</I>>>><i>
</I>>>><i>
</I>>>><i>
</I>>>><i> --
</I>>>><i> Loïc Hoguin
</I>>>><i> Erlang Cowboy
</I>>>><i> Nine Nines
</I>>>><i> <A HREF="http://ninenines.eu">http://ninenines.eu</A>
</I>>>><i> _______________________________________________
</I>>>><i> Extend mailing list
</I>>>><i> <A HREF="https://lists.ninenines.eu/listinfo/extend">Extend at lists.ninenines.eu</A>
</I>>>><i> <A HREF="http://lists.ninenines.eu:81/listinfo/extend">http://lists.ninenines.eu:81/listinfo/extend</A>
</I>>><i>
</I>>><i>
</I>>><i> _______________________________________________
</I>>><i> Extend mailing list
</I>>><i> <A HREF="https://lists.ninenines.eu/listinfo/extend">Extend at lists.ninenines.eu</A>
</I>>><i> <A HREF="http://lists.ninenines.eu:81/listinfo/extend">http://lists.ninenines.eu:81/listinfo/extend</A>
</I>>><i>
</I>>><i>
</I>>><i>
</I>>><i> _______________________________________________
</I>>><i> Extend mailing list
</I>>><i> <A HREF="https://lists.ninenines.eu/listinfo/extend">Extend at lists.ninenines.eu</A>
</I>>><i> <A HREF="http://lists.ninenines.eu:81/listinfo/extend">http://lists.ninenines.eu:81/listinfo/extend</A>
</I>><i>
</I>><i>
</I>><i>
</I>><i> --
</I>><i> Daniel White
</I>
</PRE>
<!--endarticle-->
<HR>
<P><UL>
<!--threads-->
<LI>Previous message: <A HREF="000266.html">[99s-extend] Cowboy Calling Hostname
</A></li>
<LI>Next message: <A HREF="000268.html">[99s-extend] SSL Example
</A></li>
<LI> <B>Messages sorted by:</B>
<a href="date.html#267">[ date ]</a>
<a href="thread.html#267">[ thread ]</a>
<a href="subject.html#267">[ subject ]</a>
<a href="author.html#267">[ author ]</a>
</LI>
</UL>
<hr>
<a href="https://lists.ninenines.eu/listinfo/extend">More information about the Extend
mailing list</a><br>
</body></html>