diff options
Diffstat (limited to 'archives/extend/2013-October/000266.html')
-rw-r--r-- | archives/extend/2013-October/000266.html | 189 |
1 files changed, 189 insertions, 0 deletions
diff --git a/archives/extend/2013-October/000266.html b/archives/extend/2013-October/000266.html new file mode 100644 index 00000000..32c5a245 --- /dev/null +++ b/archives/extend/2013-October/000266.html @@ -0,0 +1,189 @@ +<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> +<HTML> + <HEAD> + <TITLE> [99s-extend] Cowboy Calling Hostname + </TITLE> + <LINK REL="Index" HREF="index.html" > + <LINK REL="made" HREF="mailto:extend%40lists.ninenines.eu?Subject=Re%3A%20%5B99s-extend%5D%20Cowboy%20Calling%20Hostname&In-Reply-To=%3CCAMD5n_3RJT3Nd0p4cbgCtR1XavDXSY6kaWTbwiLwqH_bF74KOw%40mail.gmail.com%3E"> + <META NAME="robots" CONTENT="index,nofollow"> + <style type="text/css"> + pre { + white-space: pre-wrap; /* css-2.1, curent FF, Opera, Safari */ + } + </style> + <META http-equiv="Content-Type" content="text/html; charset=us-ascii"> + <LINK REL="Previous" HREF="000265.html"> + <LINK REL="Next" HREF="000267.html"> + </HEAD> + <BODY BGCOLOR="#ffffff"> + <H1>[99s-extend] Cowboy Calling Hostname</H1> + <B>Daniel White</B> + <A HREF="mailto:extend%40lists.ninenines.eu?Subject=Re%3A%20%5B99s-extend%5D%20Cowboy%20Calling%20Hostname&In-Reply-To=%3CCAMD5n_3RJT3Nd0p4cbgCtR1XavDXSY6kaWTbwiLwqH_bF74KOw%40mail.gmail.com%3E" + TITLE="[99s-extend] Cowboy Calling Hostname">daniel at whitehouse.id.au + </A><BR> + <I>Thu Oct 10 01:03:08 CEST 2013</I> + <P><UL> + <LI>Previous message: <A HREF="000265.html">[99s-extend] Cowboy Calling Hostname +</A></li> + <LI>Next message: <A HREF="000267.html">[99s-extend] Cowboy Calling Hostname +</A></li> + <LI> <B>Messages sorted by:</B> + <a href="date.html#266">[ date ]</a> + <a href="thread.html#266">[ thread ]</a> + <a href="subject.html#266">[ subject ]</a> + <a href="author.html#266">[ author ]</a> + </LI> + </UL> + <HR> +<!--beginarticle--> +<PRE>Depending on your requirements, there is a high likelihood that you +need to support pre-flight requests. Especially if you're intending +on providing credentials in the requests. Many of the interesting +headers are not simple headers (for CORS) and require a handshake +first between browser and server to ensure the headers in question are +allowed to be sent. + +This obviously limits the amount of information you can determine +about the caller. One alternative here, is the use of OAuth2 with the +'access_token' query parameter. This can be sent along with the +pre-flight request. + +On the other hand, some providers (Github, IIRC) will simply validate +a CORS request by comparing the 'Origin' against their entire list of +registered origins. This opens up some opportunity for abuse by other +clients in the system, but can be further mitigated by enforcing the +'Origin' more strictly at the authorization step of the request. + +As an aside, I have a cowboy middleware project to do the heavy +lifting for CORS at <A HREF="https://github.com/danielwhite/cowboy_cors.">https://github.com/danielwhite/cowboy_cors.</A> +Business policies can be implemented by means of a callback module. + +Cheers, + + +On Thu, Oct 10, 2013 at 4:28 AM, Lee Sylvester <<A HREF="https://lists.ninenines.eu/listinfo/extend">lee.sylvester at gmail.com</A>> wrote: +><i> Essentially, the REST service endpoint would be on widgets.net while the +</I>><i> clients website, in this case things.com, has a JavaScript that makes an +</I>><i> AJAX call to widgets.net. The account on widgets.net for things.com will +</I>><i> have the things.com domain registered to its account, so that widgets.net +</I>><i> can check to see if the request is coming from an expected domain. +</I>><i> +</I>><i> Thanks, +</I>><i> Lee +</I>><i> +</I>><i> +</I>><i> On 9 Oct 2013, at 16:51, Nathan Michaels <<A HREF="https://lists.ninenines.eu/listinfo/extend">nathan at nmichaels.org</A>> wrote: +</I>><i> +</I>><i> Is the client making the request to your service on widgets.net because +</I>><i> things.com sent them there, or is things.com making the request directly on +</I>><i> behalf of the client? The first is what Loïc is talking about. The second is +</I>><i> the source IP of the request, which you can definitely get. +</I>><i> +</I>><i> +</I>><i> On Wed, Oct 9, 2013 at 11:32 AM, Loïc Hoguin <<A HREF="https://lists.ninenines.eu/listinfo/extend">essen at ninenines.eu</A>> wrote: +</I>>><i> +</I>>><i> In short: you can't. +</I>>><i> +</I>>><i> Browsers may send origin/referer/.. headers depending on the type of +</I>>><i> request, but you can't rely on them to be real or even just there. +</I>>><i> +</I>>><i> +</I>>><i> On 10/09/2013 05:30 PM, Lee Sylvester wrote: +</I>>>><i> +</I>>>><i> Thank you. I couldn't work out if that's the host being called from or +</I>>>><i> the host name in the request. For example, a store called things.com makes +</I>>>><i> a request to my service on widgets.net. I need to see that the request is +</I>>>><i> made FROM things.com for validation purposes. Is it correct that host will +</I>>>><i> provide this? +</I>>>><i> +</I>>>><i> Thanks, +</I>>>><i> Lee +</I>>>><i> +</I>>>><i> Sent from my iPhone +</I>>>><i> +</I>>>>><i> On Oct 9, 2013, at 2:31 PM, Loïc Hoguin <<A HREF="https://lists.ninenines.eu/listinfo/extend">essen at ninenines.eu</A>> wrote: +</I>>>>><i> +</I>>>>><i> cowboy_req:host/1? +</I>>>>><i> +</I>>>>><i> Please use the nice manual we have now. +</I>>>>><i> +</I>>>>><i> <A HREF="http://ninenines.eu/docs/en/cowboy/HEAD/manual/cowboy_req">http://ninenines.eu/docs/en/cowboy/HEAD/manual/cowboy_req</A> +</I>>>>><i> +</I>>>>>><i> On 10/09/2013 03:27 PM, Lee Sylvester wrote: +</I>>>>>><i> Hi, +</I>>>>>><i> +</I>>>>>><i> When receiving a Cowboy request, is there a way to find out which +</I>>>>>><i> hostname the user made the request from? I'm using CORS in my REST and +</I>>>>>><i> Bullet app, where each call can be made through a given account. However, +</I>>>>>><i> I'd like to be able to lock requests for each account to a designated +</I>>>>>><i> hostname to protect that users account usage. +</I>>>>>><i> +</I>>>>>><i> Thanks, +</I>>>>>><i> Lee +</I>>>>>><i> +</I>>>>>><i> _______________________________________________ +</I>>>>>><i> Extend mailing list +</I>>>>>><i> <A HREF="https://lists.ninenines.eu/listinfo/extend">Extend at lists.ninenines.eu</A> +</I>>>>>><i> <A HREF="http://lists.ninenines.eu:81/listinfo/extend">http://lists.ninenines.eu:81/listinfo/extend</A> +</I>>>>><i> +</I>>>>><i> +</I>>>>><i> +</I>>>>><i> -- +</I>>>>><i> Loïc Hoguin +</I>>>>><i> Erlang Cowboy +</I>>>>><i> Nine Nines +</I>>>>><i> <A HREF="http://ninenines.eu">http://ninenines.eu</A> +</I>>><i> +</I>>><i> +</I>>><i> +</I>>><i> -- +</I>>><i> Loïc Hoguin +</I>>><i> Erlang Cowboy +</I>>><i> Nine Nines +</I>>><i> <A HREF="http://ninenines.eu">http://ninenines.eu</A> +</I>>><i> _______________________________________________ +</I>>><i> Extend mailing list +</I>>><i> <A HREF="https://lists.ninenines.eu/listinfo/extend">Extend at lists.ninenines.eu</A> +</I>>><i> <A HREF="http://lists.ninenines.eu:81/listinfo/extend">http://lists.ninenines.eu:81/listinfo/extend</A> +</I>><i> +</I>><i> +</I>><i> _______________________________________________ +</I>><i> Extend mailing list +</I>><i> <A HREF="https://lists.ninenines.eu/listinfo/extend">Extend at lists.ninenines.eu</A> +</I>><i> <A HREF="http://lists.ninenines.eu:81/listinfo/extend">http://lists.ninenines.eu:81/listinfo/extend</A> +</I>><i> +</I>><i> +</I>><i> +</I>><i> _______________________________________________ +</I>><i> Extend mailing list +</I>><i> <A HREF="https://lists.ninenines.eu/listinfo/extend">Extend at lists.ninenines.eu</A> +</I>><i> <A HREF="http://lists.ninenines.eu:81/listinfo/extend">http://lists.ninenines.eu:81/listinfo/extend</A> +</I>><i> +</I> + + +-- +Daniel White + +</PRE> + +<!--endarticle--> + <HR> + <P><UL> + <!--threads--> + <LI>Previous message: <A HREF="000265.html">[99s-extend] Cowboy Calling Hostname +</A></li> + <LI>Next message: <A HREF="000267.html">[99s-extend] Cowboy Calling Hostname +</A></li> + <LI> <B>Messages sorted by:</B> + <a href="date.html#266">[ date ]</a> + <a href="thread.html#266">[ thread ]</a> + <a href="subject.html#266">[ subject ]</a> + <a href="author.html#266">[ author ]</a> + </LI> + </UL> + +<hr> +<a href="https://lists.ninenines.eu/listinfo/extend">More information about the Extend +mailing list</a><br> +</body></html> |