1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
|
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<HTML>
<HEAD>
<TITLE> [99s-extend] Cowboy Calling Hostname
</TITLE>
<LINK REL="Index" HREF="index.html" >
<LINK REL="made" HREF="mailto:extend%40lists.ninenines.eu?Subject=Re%3A%20%5B99s-extend%5D%20Cowboy%20Calling%20Hostname&In-Reply-To=%3C9CEDE09F-E3AF-47FB-95B4-6550000B4CE7%40gmail.com%3E">
<META NAME="robots" CONTENT="index,nofollow">
<style type="text/css">
pre {
white-space: pre-wrap; /* css-2.1, curent FF, Opera, Safari */
}
</style>
<META http-equiv="Content-Type" content="text/html; charset=us-ascii">
<LINK REL="Previous" HREF="000266.html">
<LINK REL="Next" HREF="000268.html">
</HEAD>
<BODY BGCOLOR="#ffffff">
<H1>[99s-extend] Cowboy Calling Hostname</H1>
<B>Lee Sylvester</B>
<A HREF="mailto:extend%40lists.ninenines.eu?Subject=Re%3A%20%5B99s-extend%5D%20Cowboy%20Calling%20Hostname&In-Reply-To=%3C9CEDE09F-E3AF-47FB-95B4-6550000B4CE7%40gmail.com%3E"
TITLE="[99s-extend] Cowboy Calling Hostname">lee.sylvester at gmail.com
</A><BR>
<I>Thu Oct 10 08:05:23 CEST 2013</I>
<P><UL>
<LI>Previous message: <A HREF="000266.html">[99s-extend] Cowboy Calling Hostname
</A></li>
<LI>Next message: <A HREF="000268.html">[99s-extend] SSL Example
</A></li>
<LI> <B>Messages sorted by:</B>
<a href="date.html#267">[ date ]</a>
<a href="thread.html#267">[ thread ]</a>
<a href="subject.html#267">[ subject ]</a>
<a href="author.html#267">[ author ]</a>
</LI>
</UL>
<HR>
<!--beginarticle-->
<PRE>Thank you, Daniel. The project looks very useful. At this stage, I don't need to strictly require calls to come from a set domain but would like this to be a hurdle for hackers. I may set up an IP restriction instead.
Thanks,
Lee
Sent from my iPhone
><i> On Oct 10, 2013, at 12:03 AM, Daniel White <<A HREF="https://lists.ninenines.eu/listinfo/extend">daniel at whitehouse.id.au</A>> wrote:
</I>><i>
</I>><i> Depending on your requirements, there is a high likelihood that you
</I>><i> need to support pre-flight requests. Especially if you're intending
</I>><i> on providing credentials in the requests. Many of the interesting
</I>><i> headers are not simple headers (for CORS) and require a handshake
</I>><i> first between browser and server to ensure the headers in question are
</I>><i> allowed to be sent.
</I>><i>
</I>><i> This obviously limits the amount of information you can determine
</I>><i> about the caller. One alternative here, is the use of OAuth2 with the
</I>><i> 'access_token' query parameter. This can be sent along with the
</I>><i> pre-flight request.
</I>><i>
</I>><i> On the other hand, some providers (Github, IIRC) will simply validate
</I>><i> a CORS request by comparing the 'Origin' against their entire list of
</I>><i> registered origins. This opens up some opportunity for abuse by other
</I>><i> clients in the system, but can be further mitigated by enforcing the
</I>><i> 'Origin' more strictly at the authorization step of the request.
</I>><i>
</I>><i> As an aside, I have a cowboy middleware project to do the heavy
</I>><i> lifting for CORS at <A HREF="https://github.com/danielwhite/cowboy_cors.">https://github.com/danielwhite/cowboy_cors.</A>
</I>><i> Business policies can be implemented by means of a callback module.
</I>><i>
</I>><i> Cheers,
</I>><i>
</I>><i>
</I>>><i> On Thu, Oct 10, 2013 at 4:28 AM, Lee Sylvester <<A HREF="https://lists.ninenines.eu/listinfo/extend">lee.sylvester at gmail.com</A>> wrote:
</I>>><i> Essentially, the REST service endpoint would be on widgets.net while the
</I>>><i> clients website, in this case things.com, has a JavaScript that makes an
</I>>><i> AJAX call to widgets.net. The account on widgets.net for things.com will
</I>>><i> have the things.com domain registered to its account, so that widgets.net
</I>>><i> can check to see if the request is coming from an expected domain.
</I>>><i>
</I>>><i> Thanks,
</I>>><i> Lee
</I>>><i>
</I>>><i>
</I>>><i> On 9 Oct 2013, at 16:51, Nathan Michaels <<A HREF="https://lists.ninenines.eu/listinfo/extend">nathan at nmichaels.org</A>> wrote:
</I>>><i>
</I>>><i> Is the client making the request to your service on widgets.net because
</I>>><i> things.com sent them there, or is things.com making the request directly on
</I>>><i> behalf of the client? The first is what Loïc is talking about. The second is
</I>>><i> the source IP of the request, which you can definitely get.
</I>>><i>
</I>>><i>
</I>>>><i> On Wed, Oct 9, 2013 at 11:32 AM, Loïc Hoguin <<A HREF="https://lists.ninenines.eu/listinfo/extend">essen at ninenines.eu</A>> wrote:
</I>>>><i>
</I>>>><i> In short: you can't.
</I>>>><i>
</I>>>><i> Browsers may send origin/referer/.. headers depending on the type of
</I>>>><i> request, but you can't rely on them to be real or even just there.
</I>>>><i>
</I>>>><i>
</I>>>>><i> On 10/09/2013 05:30 PM, Lee Sylvester wrote:
</I>>>>><i>
</I>>>>><i> Thank you. I couldn't work out if that's the host being called from or
</I>>>>><i> the host name in the request. For example, a store called things.com makes
</I>>>>><i> a request to my service on widgets.net. I need to see that the request is
</I>>>>><i> made FROM things.com for validation purposes. Is it correct that host will
</I>>>>><i> provide this?
</I>>>>><i>
</I>>>>><i> Thanks,
</I>>>>><i> Lee
</I>>>>><i>
</I>>>>><i> Sent from my iPhone
</I>>>>><i>
</I>>>>>><i> On Oct 9, 2013, at 2:31 PM, Loïc Hoguin <<A HREF="https://lists.ninenines.eu/listinfo/extend">essen at ninenines.eu</A>> wrote:
</I>>>>>><i>
</I>>>>>><i> cowboy_req:host/1?
</I>>>>>><i>
</I>>>>>><i> Please use the nice manual we have now.
</I>>>>>><i>
</I>>>>>><i> <A HREF="http://ninenines.eu/docs/en/cowboy/HEAD/manual/cowboy_req">http://ninenines.eu/docs/en/cowboy/HEAD/manual/cowboy_req</A>
</I>>>>>><i>
</I>>>>>>><i> On 10/09/2013 03:27 PM, Lee Sylvester wrote:
</I>>>>>>><i> Hi,
</I>>>>>>><i>
</I>>>>>>><i> When receiving a Cowboy request, is there a way to find out which
</I>>>>>>><i> hostname the user made the request from? I'm using CORS in my REST and
</I>>>>>>><i> Bullet app, where each call can be made through a given account. However,
</I>>>>>>><i> I'd like to be able to lock requests for each account to a designated
</I>>>>>>><i> hostname to protect that users account usage.
</I>>>>>>><i>
</I>>>>>>><i> Thanks,
</I>>>>>>><i> Lee
</I>>>>>>><i>
</I>>>>>>><i> _______________________________________________
</I>>>>>>><i> Extend mailing list
</I>>>>>>><i> <A HREF="https://lists.ninenines.eu/listinfo/extend">Extend at lists.ninenines.eu</A>
</I>>>>>>><i> <A HREF="http://lists.ninenines.eu:81/listinfo/extend">http://lists.ninenines.eu:81/listinfo/extend</A>
</I>>>>>><i>
</I>>>>>><i>
</I>>>>>><i>
</I>>>>>><i> --
</I>>>>>><i> Loïc Hoguin
</I>>>>>><i> Erlang Cowboy
</I>>>>>><i> Nine Nines
</I>>>>>><i> <A HREF="http://ninenines.eu">http://ninenines.eu</A>
</I>>>><i>
</I>>>><i>
</I>>>><i>
</I>>>><i> --
</I>>>><i> Loïc Hoguin
</I>>>><i> Erlang Cowboy
</I>>>><i> Nine Nines
</I>>>><i> <A HREF="http://ninenines.eu">http://ninenines.eu</A>
</I>>>><i> _______________________________________________
</I>>>><i> Extend mailing list
</I>>>><i> <A HREF="https://lists.ninenines.eu/listinfo/extend">Extend at lists.ninenines.eu</A>
</I>>>><i> <A HREF="http://lists.ninenines.eu:81/listinfo/extend">http://lists.ninenines.eu:81/listinfo/extend</A>
</I>>><i>
</I>>><i>
</I>>><i> _______________________________________________
</I>>><i> Extend mailing list
</I>>><i> <A HREF="https://lists.ninenines.eu/listinfo/extend">Extend at lists.ninenines.eu</A>
</I>>><i> <A HREF="http://lists.ninenines.eu:81/listinfo/extend">http://lists.ninenines.eu:81/listinfo/extend</A>
</I>>><i>
</I>>><i>
</I>>><i>
</I>>><i> _______________________________________________
</I>>><i> Extend mailing list
</I>>><i> <A HREF="https://lists.ninenines.eu/listinfo/extend">Extend at lists.ninenines.eu</A>
</I>>><i> <A HREF="http://lists.ninenines.eu:81/listinfo/extend">http://lists.ninenines.eu:81/listinfo/extend</A>
</I>><i>
</I>><i>
</I>><i>
</I>><i> --
</I>><i> Daniel White
</I>
</PRE>
<!--endarticle-->
<HR>
<P><UL>
<!--threads-->
<LI>Previous message: <A HREF="000266.html">[99s-extend] Cowboy Calling Hostname
</A></li>
<LI>Next message: <A HREF="000268.html">[99s-extend] SSL Example
</A></li>
<LI> <B>Messages sorted by:</B>
<a href="date.html#267">[ date ]</a>
<a href="thread.html#267">[ thread ]</a>
<a href="subject.html#267">[ subject ]</a>
<a href="author.html#267">[ author ]</a>
</LI>
</UL>
<hr>
<a href="https://lists.ninenines.eu/listinfo/extend">More information about the Extend
mailing list</a><br>
</body></html>
|
