summaryrefslogtreecommitdiffstats
path: root/_build/static/archives/extend/2013-October/000266.html
blob: 32c5a245a4f0bf73a2328f67cf57139911e6041d (plain) (blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<HTML>
 <HEAD>
   <TITLE> [99s-extend] Cowboy Calling Hostname
   </TITLE>
   <LINK REL="Index" HREF="index.html" >
   <LINK REL="made" HREF="mailto:extend%40lists.ninenines.eu?Subject=Re%3A%20%5B99s-extend%5D%20Cowboy%20Calling%20Hostname&In-Reply-To=%3CCAMD5n_3RJT3Nd0p4cbgCtR1XavDXSY6kaWTbwiLwqH_bF74KOw%40mail.gmail.com%3E">
   <META NAME="robots" CONTENT="index,nofollow">
   <style type="text/css">
       pre {
           white-space: pre-wrap;       /* css-2.1, curent FF, Opera, Safari */
           }
   </style>
   <META http-equiv="Content-Type" content="text/html; charset=us-ascii">
   <LINK REL="Previous"  HREF="000265.html">
   <LINK REL="Next"  HREF="000267.html">
 </HEAD>
 <BODY BGCOLOR="#ffffff">
   <H1>[99s-extend] Cowboy Calling Hostname</H1>
    <B>Daniel White</B> 
    <A HREF="mailto:extend%40lists.ninenines.eu?Subject=Re%3A%20%5B99s-extend%5D%20Cowboy%20Calling%20Hostname&In-Reply-To=%3CCAMD5n_3RJT3Nd0p4cbgCtR1XavDXSY6kaWTbwiLwqH_bF74KOw%40mail.gmail.com%3E"
       TITLE="[99s-extend] Cowboy Calling Hostname">daniel at whitehouse.id.au
       </A><BR>
    <I>Thu Oct 10 01:03:08 CEST 2013</I>
    <P><UL>
        <LI>Previous message: <A HREF="000265.html">[99s-extend] Cowboy Calling Hostname
</A></li>
        <LI>Next message: <A HREF="000267.html">[99s-extend] Cowboy Calling Hostname
</A></li>
         <LI> <B>Messages sorted by:</B> 
              <a href="date.html#266">[ date ]</a>
              <a href="thread.html#266">[ thread ]</a>
              <a href="subject.html#266">[ subject ]</a>
              <a href="author.html#266">[ author ]</a>
         </LI>
       </UL>
    <HR>  
<!--beginarticle-->
<PRE>Depending on your requirements, there is a high likelihood that you
need to support pre-flight requests.  Especially if you're intending
on providing credentials in the requests.  Many of the interesting
headers are not simple headers (for CORS) and require a handshake
first between browser and server to ensure the headers in question are
allowed to be sent.

This obviously limits the amount of information you can determine
about the caller.  One alternative here, is the use of OAuth2 with the
'access_token' query parameter.  This can be sent along with the
pre-flight request.

On the other hand, some providers (Github, IIRC) will simply validate
a CORS request by comparing the 'Origin' against their entire list of
registered origins.  This opens up some opportunity for abuse by other
clients in the system, but can be further mitigated by enforcing the
'Origin' more strictly at the authorization step of the request.

As an aside, I have a cowboy middleware project to do the heavy
lifting for CORS at <A HREF="https://github.com/danielwhite/cowboy_cors.">https://github.com/danielwhite/cowboy_cors.</A>
Business policies can be implemented by means of a callback module.

Cheers,


On Thu, Oct 10, 2013 at 4:28 AM, Lee Sylvester &lt;<A HREF="https://lists.ninenines.eu/listinfo/extend">lee.sylvester at gmail.com</A>&gt; wrote:
&gt;<i> Essentially, the REST service endpoint would be on widgets.net while the
</I>&gt;<i> clients website, in this case things.com, has a JavaScript that makes an
</I>&gt;<i> AJAX call to widgets.net.  The account on widgets.net for things.com will
</I>&gt;<i> have the things.com domain registered to its account, so that widgets.net
</I>&gt;<i> can check to see if the request is coming from an expected domain.
</I>&gt;<i>
</I>&gt;<i> Thanks,
</I>&gt;<i> Lee
</I>&gt;<i>
</I>&gt;<i>
</I>&gt;<i> On 9 Oct 2013, at 16:51, Nathan Michaels &lt;<A HREF="https://lists.ninenines.eu/listinfo/extend">nathan at nmichaels.org</A>&gt; wrote:
</I>&gt;<i>
</I>&gt;<i> Is the client making the request to your service on widgets.net because
</I>&gt;<i> things.com sent them there, or is things.com making the request directly on
</I>&gt;<i> behalf of the client? The first is what Lo&#239;c is talking about. The second is
</I>&gt;<i> the source IP of the request, which you can definitely get.
</I>&gt;<i>
</I>&gt;<i>
</I>&gt;<i> On Wed, Oct 9, 2013 at 11:32 AM, Lo&#239;c Hoguin &lt;<A HREF="https://lists.ninenines.eu/listinfo/extend">essen at ninenines.eu</A>&gt; wrote:
</I>&gt;&gt;<i>
</I>&gt;&gt;<i> In short: you can't.
</I>&gt;&gt;<i>
</I>&gt;&gt;<i> Browsers may send origin/referer/.. headers depending on the type of
</I>&gt;&gt;<i> request, but you can't rely on them to be real or even just there.
</I>&gt;&gt;<i>
</I>&gt;&gt;<i>
</I>&gt;&gt;<i> On 10/09/2013 05:30 PM, Lee Sylvester wrote:
</I>&gt;&gt;&gt;<i>
</I>&gt;&gt;&gt;<i> Thank you.  I couldn't work out if that's the host being called from or
</I>&gt;&gt;&gt;<i> the host name in the request.  For example, a store called things.com makes
</I>&gt;&gt;&gt;<i> a request to my service on widgets.net.  I need to see that the request is
</I>&gt;&gt;&gt;<i> made FROM things.com for validation purposes. Is it correct that host will
</I>&gt;&gt;&gt;<i> provide this?
</I>&gt;&gt;&gt;<i>
</I>&gt;&gt;&gt;<i> Thanks,
</I>&gt;&gt;&gt;<i> Lee
</I>&gt;&gt;&gt;<i>
</I>&gt;&gt;&gt;<i> Sent from my iPhone
</I>&gt;&gt;&gt;<i>
</I>&gt;&gt;&gt;&gt;<i> On Oct 9, 2013, at 2:31 PM, Lo&#239;c Hoguin &lt;<A HREF="https://lists.ninenines.eu/listinfo/extend">essen at ninenines.eu</A>&gt; wrote:
</I>&gt;&gt;&gt;&gt;<i>
</I>&gt;&gt;&gt;&gt;<i> cowboy_req:host/1?
</I>&gt;&gt;&gt;&gt;<i>
</I>&gt;&gt;&gt;&gt;<i> Please use the nice manual we have now.
</I>&gt;&gt;&gt;&gt;<i>
</I>&gt;&gt;&gt;&gt;<i>   <A HREF="http://ninenines.eu/docs/en/cowboy/HEAD/manual/cowboy_req">http://ninenines.eu/docs/en/cowboy/HEAD/manual/cowboy_req</A>
</I>&gt;&gt;&gt;&gt;<i>
</I>&gt;&gt;&gt;&gt;&gt;<i> On 10/09/2013 03:27 PM, Lee Sylvester wrote:
</I>&gt;&gt;&gt;&gt;&gt;<i> Hi,
</I>&gt;&gt;&gt;&gt;&gt;<i>
</I>&gt;&gt;&gt;&gt;&gt;<i> When receiving a Cowboy request, is there a way to find out which
</I>&gt;&gt;&gt;&gt;&gt;<i> hostname the user made the request from?  I'm using CORS in my REST and
</I>&gt;&gt;&gt;&gt;&gt;<i> Bullet app, where each call can be made through a given account.  However,
</I>&gt;&gt;&gt;&gt;&gt;<i> I'd like to be able to lock requests for each account to a designated
</I>&gt;&gt;&gt;&gt;&gt;<i> hostname to protect that users account usage.
</I>&gt;&gt;&gt;&gt;&gt;<i>
</I>&gt;&gt;&gt;&gt;&gt;<i> Thanks,
</I>&gt;&gt;&gt;&gt;&gt;<i> Lee
</I>&gt;&gt;&gt;&gt;&gt;<i>
</I>&gt;&gt;&gt;&gt;&gt;<i> _______________________________________________
</I>&gt;&gt;&gt;&gt;&gt;<i> Extend mailing list
</I>&gt;&gt;&gt;&gt;&gt;<i> <A HREF="https://lists.ninenines.eu/listinfo/extend">Extend at lists.ninenines.eu</A>
</I>&gt;&gt;&gt;&gt;&gt;<i> <A HREF="http://lists.ninenines.eu:81/listinfo/extend">http://lists.ninenines.eu:81/listinfo/extend</A>
</I>&gt;&gt;&gt;&gt;<i>
</I>&gt;&gt;&gt;&gt;<i>
</I>&gt;&gt;&gt;&gt;<i>
</I>&gt;&gt;&gt;&gt;<i> --
</I>&gt;&gt;&gt;&gt;<i> Lo&#239;c Hoguin
</I>&gt;&gt;&gt;&gt;<i> Erlang Cowboy
</I>&gt;&gt;&gt;&gt;<i> Nine Nines
</I>&gt;&gt;&gt;&gt;<i> <A HREF="http://ninenines.eu">http://ninenines.eu</A>
</I>&gt;&gt;<i>
</I>&gt;&gt;<i>
</I>&gt;&gt;<i>
</I>&gt;&gt;<i> --
</I>&gt;&gt;<i> Lo&#239;c Hoguin
</I>&gt;&gt;<i> Erlang Cowboy
</I>&gt;&gt;<i> Nine Nines
</I>&gt;&gt;<i> <A HREF="http://ninenines.eu">http://ninenines.eu</A>
</I>&gt;&gt;<i> _______________________________________________
</I>&gt;&gt;<i> Extend mailing list
</I>&gt;&gt;<i> <A HREF="https://lists.ninenines.eu/listinfo/extend">Extend at lists.ninenines.eu</A>
</I>&gt;&gt;<i> <A HREF="http://lists.ninenines.eu:81/listinfo/extend">http://lists.ninenines.eu:81/listinfo/extend</A>
</I>&gt;<i>
</I>&gt;<i>
</I>&gt;<i> _______________________________________________
</I>&gt;<i> Extend mailing list
</I>&gt;<i> <A HREF="https://lists.ninenines.eu/listinfo/extend">Extend at lists.ninenines.eu</A>
</I>&gt;<i> <A HREF="http://lists.ninenines.eu:81/listinfo/extend">http://lists.ninenines.eu:81/listinfo/extend</A>
</I>&gt;<i>
</I>&gt;<i>
</I>&gt;<i>
</I>&gt;<i> _______________________________________________
</I>&gt;<i> Extend mailing list
</I>&gt;<i> <A HREF="https://lists.ninenines.eu/listinfo/extend">Extend at lists.ninenines.eu</A>
</I>&gt;<i> <A HREF="http://lists.ninenines.eu:81/listinfo/extend">http://lists.ninenines.eu:81/listinfo/extend</A>
</I>&gt;<i>
</I>


-- 
Daniel White

</PRE>

<!--endarticle-->
    <HR>
    <P><UL>
        <!--threads-->
	<LI>Previous message: <A HREF="000265.html">[99s-extend] Cowboy Calling Hostname
</A></li>
	<LI>Next message: <A HREF="000267.html">[99s-extend] Cowboy Calling Hostname
</A></li>
         <LI> <B>Messages sorted by:</B> 
              <a href="date.html#266">[ date ]</a>
              <a href="thread.html#266">[ thread ]</a>
              <a href="subject.html#266">[ subject ]</a>
              <a href="author.html#266">[ author ]</a>
         </LI>
       </UL>

<hr>
<a href="https://lists.ninenines.eu/listinfo/extend">More information about the Extend
mailing list</a><br>
</body></html>