[99s-extend] Cowboy Calling Hostname
Lee Sylvester
lee.sylvester at gmail.com
Thu Oct 10 08:05:23 CEST 2013
Thank you, Daniel. The project looks very useful. At this stage, I don't need to strictly require calls to come from a set domain but would like this to be a hurdle for hackers. I may set up an IP restriction instead.
Thanks,
Lee
Sent from my iPhone
> On Oct 10, 2013, at 12:03 AM, Daniel White <daniel at whitehouse.id.au> wrote:
>
> Depending on your requirements, there is a high likelihood that you
> need to support pre-flight requests. Especially if you're intending
> on providing credentials in the requests. Many of the interesting
> headers are not simple headers (for CORS) and require a handshake
> first between browser and server to ensure the headers in question are
> allowed to be sent.
>
> This obviously limits the amount of information you can determine
> about the caller. One alternative here, is the use of OAuth2 with the
> 'access_token' query parameter. This can be sent along with the
> pre-flight request.
>
> On the other hand, some providers (Github, IIRC) will simply validate
> a CORS request by comparing the 'Origin' against their entire list of
> registered origins. This opens up some opportunity for abuse by other
> clients in the system, but can be further mitigated by enforcing the
> 'Origin' more strictly at the authorization step of the request.
>
> As an aside, I have a cowboy middleware project to do the heavy
> lifting for CORS at https://github.com/danielwhite/cowboy_cors.
> Business policies can be implemented by means of a callback module.
>
> Cheers,
>
>
>> On Thu, Oct 10, 2013 at 4:28 AM, Lee Sylvester <lee.sylvester at gmail.com> wrote:
>> Essentially, the REST service endpoint would be on widgets.net while the
>> clients website, in this case things.com, has a JavaScript that makes an
>> AJAX call to widgets.net. The account on widgets.net for things.com will
>> have the things.com domain registered to its account, so that widgets.net
>> can check to see if the request is coming from an expected domain.
>>
>> Thanks,
>> Lee
>>
>>
>> On 9 Oct 2013, at 16:51, Nathan Michaels <nathan at nmichaels.org> wrote:
>>
>> Is the client making the request to your service on widgets.net because
>> things.com sent them there, or is things.com making the request directly on
>> behalf of the client? The first is what Loïc is talking about. The second is
>> the source IP of the request, which you can definitely get.
>>
>>
>>> On Wed, Oct 9, 2013 at 11:32 AM, Loïc Hoguin <essen at ninenines.eu> wrote:
>>>
>>> In short: you can't.
>>>
>>> Browsers may send origin/referer/.. headers depending on the type of
>>> request, but you can't rely on them to be real or even just there.
>>>
>>>
>>>> On 10/09/2013 05:30 PM, Lee Sylvester wrote:
>>>>
>>>> Thank you. I couldn't work out if that's the host being called from or
>>>> the host name in the request. For example, a store called things.com makes
>>>> a request to my service on widgets.net. I need to see that the request is
>>>> made FROM things.com for validation purposes. Is it correct that host will
>>>> provide this?
>>>>
>>>> Thanks,
>>>> Lee
>>>>
>>>> Sent from my iPhone
>>>>
>>>>> On Oct 9, 2013, at 2:31 PM, Loïc Hoguin <essen at ninenines.eu> wrote:
>>>>>
>>>>> cowboy_req:host/1?
>>>>>
>>>>> Please use the nice manual we have now.
>>>>>
>>>>> http://ninenines.eu/docs/en/cowboy/HEAD/manual/cowboy_req
>>>>>
>>>>>> On 10/09/2013 03:27 PM, Lee Sylvester wrote:
>>>>>> Hi,
>>>>>>
>>>>>> When receiving a Cowboy request, is there a way to find out which
>>>>>> hostname the user made the request from? I'm using CORS in my REST and
>>>>>> Bullet app, where each call can be made through a given account. However,
>>>>>> I'd like to be able to lock requests for each account to a designated
>>>>>> hostname to protect that users account usage.
>>>>>>
>>>>>> Thanks,
>>>>>> Lee
>>>>>>
>>>>>> _______________________________________________
>>>>>> Extend mailing list
>>>>>> Extend at lists.ninenines.eu
>>>>>> http://lists.ninenines.eu:81/listinfo/extend
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> Loïc Hoguin
>>>>> Erlang Cowboy
>>>>> Nine Nines
>>>>> http://ninenines.eu
>>>
>>>
>>>
>>> --
>>> Loïc Hoguin
>>> Erlang Cowboy
>>> Nine Nines
>>> http://ninenines.eu
>>> _______________________________________________
>>> Extend mailing list
>>> Extend at lists.ninenines.eu
>>> http://lists.ninenines.eu:81/listinfo/extend
>>
>>
>> _______________________________________________
>> Extend mailing list
>> Extend at lists.ninenines.eu
>> http://lists.ninenines.eu:81/listinfo/extend
>>
>>
>>
>> _______________________________________________
>> Extend mailing list
>> Extend at lists.ninenines.eu
>> http://lists.ninenines.eu:81/listinfo/extend
>
>
>
> --
> Daniel White
More information about the Extend
mailing list