diff options
| author | Loïc Hoguin <[email protected]> | 2016-08-29 12:39:49 +0200 |
|---|---|---|
| committer | Loïc Hoguin <[email protected]> | 2016-08-29 12:40:03 +0200 |
| commit | c807880f7ac73f813b2660ea81a00f7712a4e793 (patch) | |
| tree | ba1d09e9b177f230665a80513b33fbd532000ce4 /_build/static/archives/extend/2013-October/000267.html | |
| parent | b1df25a7d9cda697513650659b781b55b40898f8 (diff) | |
| download | ninenines.eu-c807880f7ac73f813b2660ea81a00f7712a4e793.tar.gz ninenines.eu-c807880f7ac73f813b2660ea81a00f7712a4e793.tar.bz2 ninenines.eu-c807880f7ac73f813b2660ea81a00f7712a4e793.zip | |
Add old mailing list archives
Diffstat (limited to '_build/static/archives/extend/2013-October/000267.html')
| -rw-r--r-- | _build/static/archives/extend/2013-October/000267.html | 197 |
1 files changed, 197 insertions, 0 deletions
diff --git a/_build/static/archives/extend/2013-October/000267.html b/_build/static/archives/extend/2013-October/000267.html new file mode 100644 index 00000000..b403cab5 --- /dev/null +++ b/_build/static/archives/extend/2013-October/000267.html @@ -0,0 +1,197 @@ +<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> +<HTML> + <HEAD> + <TITLE> [99s-extend] Cowboy Calling Hostname + </TITLE> + <LINK REL="Index" HREF="index.html" > + <LINK REL="made" HREF="mailto:extend%40lists.ninenines.eu?Subject=Re%3A%20%5B99s-extend%5D%20Cowboy%20Calling%20Hostname&In-Reply-To=%3C9CEDE09F-E3AF-47FB-95B4-6550000B4CE7%40gmail.com%3E"> + <META NAME="robots" CONTENT="index,nofollow"> + <style type="text/css"> + pre { + white-space: pre-wrap; /* css-2.1, curent FF, Opera, Safari */ + } + </style> + <META http-equiv="Content-Type" content="text/html; charset=us-ascii"> + <LINK REL="Previous" HREF="000266.html"> + <LINK REL="Next" HREF="000268.html"> + </HEAD> + <BODY BGCOLOR="#ffffff"> + <H1>[99s-extend] Cowboy Calling Hostname</H1> + <B>Lee Sylvester</B> + <A HREF="mailto:extend%40lists.ninenines.eu?Subject=Re%3A%20%5B99s-extend%5D%20Cowboy%20Calling%20Hostname&In-Reply-To=%3C9CEDE09F-E3AF-47FB-95B4-6550000B4CE7%40gmail.com%3E" + TITLE="[99s-extend] Cowboy Calling Hostname">lee.sylvester at gmail.com + </A><BR> + <I>Thu Oct 10 08:05:23 CEST 2013</I> + <P><UL> + <LI>Previous message: <A HREF="000266.html">[99s-extend] Cowboy Calling Hostname +</A></li> + <LI>Next message: <A HREF="000268.html">[99s-extend] SSL Example +</A></li> + <LI> <B>Messages sorted by:</B> + <a href="date.html#267">[ date ]</a> + <a href="thread.html#267">[ thread ]</a> + <a href="subject.html#267">[ subject ]</a> + <a href="author.html#267">[ author ]</a> + </LI> + </UL> + <HR> +<!--beginarticle--> +<PRE>Thank you, Daniel. The project looks very useful. At this stage, I don't need to strictly require calls to come from a set domain but would like this to be a hurdle for hackers. I may set up an IP restriction instead. + +Thanks, +Lee + +Sent from my iPhone + +><i> On Oct 10, 2013, at 12:03 AM, Daniel White <<A HREF="https://lists.ninenines.eu/listinfo/extend">daniel at whitehouse.id.au</A>> wrote: +</I>><i> +</I>><i> Depending on your requirements, there is a high likelihood that you +</I>><i> need to support pre-flight requests. Especially if you're intending +</I>><i> on providing credentials in the requests. Many of the interesting +</I>><i> headers are not simple headers (for CORS) and require a handshake +</I>><i> first between browser and server to ensure the headers in question are +</I>><i> allowed to be sent. +</I>><i> +</I>><i> This obviously limits the amount of information you can determine +</I>><i> about the caller. One alternative here, is the use of OAuth2 with the +</I>><i> 'access_token' query parameter. This can be sent along with the +</I>><i> pre-flight request. +</I>><i> +</I>><i> On the other hand, some providers (Github, IIRC) will simply validate +</I>><i> a CORS request by comparing the 'Origin' against their entire list of +</I>><i> registered origins. This opens up some opportunity for abuse by other +</I>><i> clients in the system, but can be further mitigated by enforcing the +</I>><i> 'Origin' more strictly at the authorization step of the request. +</I>><i> +</I>><i> As an aside, I have a cowboy middleware project to do the heavy +</I>><i> lifting for CORS at <A HREF="https://github.com/danielwhite/cowboy_cors.">https://github.com/danielwhite/cowboy_cors.</A> +</I>><i> Business policies can be implemented by means of a callback module. +</I>><i> +</I>><i> Cheers, +</I>><i> +</I>><i> +</I>>><i> On Thu, Oct 10, 2013 at 4:28 AM, Lee Sylvester <<A HREF="https://lists.ninenines.eu/listinfo/extend">lee.sylvester at gmail.com</A>> wrote: +</I>>><i> Essentially, the REST service endpoint would be on widgets.net while the +</I>>><i> clients website, in this case things.com, has a JavaScript that makes an +</I>>><i> AJAX call to widgets.net. The account on widgets.net for things.com will +</I>>><i> have the things.com domain registered to its account, so that widgets.net +</I>>><i> can check to see if the request is coming from an expected domain. +</I>>><i> +</I>>><i> Thanks, +</I>>><i> Lee +</I>>><i> +</I>>><i> +</I>>><i> On 9 Oct 2013, at 16:51, Nathan Michaels <<A HREF="https://lists.ninenines.eu/listinfo/extend">nathan at nmichaels.org</A>> wrote: +</I>>><i> +</I>>><i> Is the client making the request to your service on widgets.net because +</I>>><i> things.com sent them there, or is things.com making the request directly on +</I>>><i> behalf of the client? The first is what Loïc is talking about. The second is +</I>>><i> the source IP of the request, which you can definitely get. +</I>>><i> +</I>>><i> +</I>>>><i> On Wed, Oct 9, 2013 at 11:32 AM, Loïc Hoguin <<A HREF="https://lists.ninenines.eu/listinfo/extend">essen at ninenines.eu</A>> wrote: +</I>>>><i> +</I>>>><i> In short: you can't. +</I>>>><i> +</I>>>><i> Browsers may send origin/referer/.. headers depending on the type of +</I>>>><i> request, but you can't rely on them to be real or even just there. +</I>>>><i> +</I>>>><i> +</I>>>>><i> On 10/09/2013 05:30 PM, Lee Sylvester wrote: +</I>>>>><i> +</I>>>>><i> Thank you. I couldn't work out if that's the host being called from or +</I>>>>><i> the host name in the request. For example, a store called things.com makes +</I>>>>><i> a request to my service on widgets.net. I need to see that the request is +</I>>>>><i> made FROM things.com for validation purposes. Is it correct that host will +</I>>>>><i> provide this? +</I>>>>><i> +</I>>>>><i> Thanks, +</I>>>>><i> Lee +</I>>>>><i> +</I>>>>><i> Sent from my iPhone +</I>>>>><i> +</I>>>>>><i> On Oct 9, 2013, at 2:31 PM, Loïc Hoguin <<A HREF="https://lists.ninenines.eu/listinfo/extend">essen at ninenines.eu</A>> wrote: +</I>>>>>><i> +</I>>>>>><i> cowboy_req:host/1? +</I>>>>>><i> +</I>>>>>><i> Please use the nice manual we have now. +</I>>>>>><i> +</I>>>>>><i> <A HREF="http://ninenines.eu/docs/en/cowboy/HEAD/manual/cowboy_req">http://ninenines.eu/docs/en/cowboy/HEAD/manual/cowboy_req</A> +</I>>>>>><i> +</I>>>>>>><i> On 10/09/2013 03:27 PM, Lee Sylvester wrote: +</I>>>>>>><i> Hi, +</I>>>>>>><i> +</I>>>>>>><i> When receiving a Cowboy request, is there a way to find out which +</I>>>>>>><i> hostname the user made the request from? I'm using CORS in my REST and +</I>>>>>>><i> Bullet app, where each call can be made through a given account. However, +</I>>>>>>><i> I'd like to be able to lock requests for each account to a designated +</I>>>>>>><i> hostname to protect that users account usage. +</I>>>>>>><i> +</I>>>>>>><i> Thanks, +</I>>>>>>><i> Lee +</I>>>>>>><i> +</I>>>>>>><i> _______________________________________________ +</I>>>>>>><i> Extend mailing list +</I>>>>>>><i> <A HREF="https://lists.ninenines.eu/listinfo/extend">Extend at lists.ninenines.eu</A> +</I>>>>>>><i> <A HREF="http://lists.ninenines.eu:81/listinfo/extend">http://lists.ninenines.eu:81/listinfo/extend</A> +</I>>>>>><i> +</I>>>>>><i> +</I>>>>>><i> +</I>>>>>><i> -- +</I>>>>>><i> Loïc Hoguin +</I>>>>>><i> Erlang Cowboy +</I>>>>>><i> Nine Nines +</I>>>>>><i> <A HREF="http://ninenines.eu">http://ninenines.eu</A> +</I>>>><i> +</I>>>><i> +</I>>>><i> +</I>>>><i> -- +</I>>>><i> Loïc Hoguin +</I>>>><i> Erlang Cowboy +</I>>>><i> Nine Nines +</I>>>><i> <A HREF="http://ninenines.eu">http://ninenines.eu</A> +</I>>>><i> _______________________________________________ +</I>>>><i> Extend mailing list +</I>>>><i> <A HREF="https://lists.ninenines.eu/listinfo/extend">Extend at lists.ninenines.eu</A> +</I>>>><i> <A HREF="http://lists.ninenines.eu:81/listinfo/extend">http://lists.ninenines.eu:81/listinfo/extend</A> +</I>>><i> +</I>>><i> +</I>>><i> _______________________________________________ +</I>>><i> Extend mailing list +</I>>><i> <A HREF="https://lists.ninenines.eu/listinfo/extend">Extend at lists.ninenines.eu</A> +</I>>><i> <A HREF="http://lists.ninenines.eu:81/listinfo/extend">http://lists.ninenines.eu:81/listinfo/extend</A> +</I>>><i> +</I>>><i> +</I>>><i> +</I>>><i> _______________________________________________ +</I>>><i> Extend mailing list +</I>>><i> <A HREF="https://lists.ninenines.eu/listinfo/extend">Extend at lists.ninenines.eu</A> +</I>>><i> <A HREF="http://lists.ninenines.eu:81/listinfo/extend">http://lists.ninenines.eu:81/listinfo/extend</A> +</I>><i> +</I>><i> +</I>><i> +</I>><i> -- +</I>><i> Daniel White +</I> +</PRE> + +<!--endarticle--> + <HR> + <P><UL> + <!--threads--> + <LI>Previous message: <A HREF="000266.html">[99s-extend] Cowboy Calling Hostname +</A></li> + <LI>Next message: <A HREF="000268.html">[99s-extend] SSL Example +</A></li> + <LI> <B>Messages sorted by:</B> + <a href="date.html#267">[ date ]</a> + <a href="thread.html#267">[ thread ]</a> + <a href="subject.html#267">[ subject ]</a> + <a href="author.html#267">[ author ]</a> + </LI> + </UL> + +<hr> +<a href="https://lists.ninenines.eu/listinfo/extend">More information about the Extend +mailing list</a><br> +</body></html> |