[99s-extend] Cowboy Calling Hostname

[Daniel White]

Depending on your requirements, there is a high likelihood that you
need to support pre-flight requests.  Especially if you're intending
on providing credentials in the requests.  Many of the interesting
headers are not simple headers (for CORS) and require a handshake
first between browser and server to ensure the headers in question are
allowed to be sent.

This obviously limits the amount of information you can determine
about the caller.  One alternative here, is the use of OAuth2 with the
'access_token' query parameter.  This can be sent along with the
pre-flight request.

On the other hand, some providers (Github, IIRC) will simply validate
a CORS request by comparing the 'Origin' against their entire list of
registered origins.  This opens up some opportunity for abuse by other
clients in the system, but can be further mitigated by enforcing the
'Origin' more strictly at the authorization step of the request.

As an aside, I have a cowboy middleware project to do the heavy
lifting for CORS at https://github.com/danielwhite/cowboy_cors.
Business policies can be implemented by means of a callback module.

Cheers,


On Thu, Oct 10, 2013 at 4:28 AM, Lee Sylvester <lee.sylvester at gmail.com> wrote:
> Essentially, the REST service endpoint would be on widgets.net while the
> clients website, in this case things.com, has a JavaScript that makes an
> AJAX call to widgets.net.  The account on widgets.net for things.com will
> have the things.com domain registered to its account, so that widgets.net
> can check to see if the request is coming from an expected domain.
>
> Thanks,
> Lee
>
>
> On 9 Oct 2013, at 16:51, Nathan Michaels <nathan at nmichaels.org> wrote:
>
> Is the client making the request to your service on widgets.net because
> things.com sent them there, or is things.com making the request directly on
> behalf of the client? The first is what Loïc is talking about. The second is
> the source IP of the request, which you can definitely get.
>
>
> On Wed, Oct 9, 2013 at 11:32 AM, Loïc Hoguin <essen at ninenines.eu> wrote:
>>
>> In short: you can't.
>>
>> Browsers may send origin/referer/.. headers depending on the type of
>> request, but you can't rely on them to be real or even just there.
>>
>>
>> On 10/09/2013 05:30 PM, Lee Sylvester wrote:
>>>
>>> Thank you.  I couldn't work out if that's the host being called from or
>>> the host name in the request.  For example, a store called things.com makes
>>> a request to my service on widgets.net.  I need to see that the request is
>>> made FROM things.com for validation purposes. Is it correct that host will
>>> provide this?
>>>
>>> Thanks,
>>> Lee
>>>
>>> Sent from my iPhone
>>>
>>>> On Oct 9, 2013, at 2:31 PM, Loïc Hoguin <essen at ninenines.eu> wrote:
>>>>
>>>> cowboy_req:host/1?
>>>>
>>>> Please use the nice manual we have now.
>>>>
>>>>   http://ninenines.eu/docs/en/cowboy/HEAD/manual/cowboy_req
>>>>
>>>>> On 10/09/2013 03:27 PM, Lee Sylvester wrote:
>>>>> Hi,
>>>>>
>>>>> When receiving a Cowboy request, is there a way to find out which
>>>>> hostname the user made the request from?  I'm using CORS in my REST and
>>>>> Bullet app, where each call can be made through a given account.  However,
>>>>> I'd like to be able to lock requests for each account to a designated
>>>>> hostname to protect that users account usage.
>>>>>
>>>>> Thanks,
>>>>> Lee
>>>>>
>>>>> _______________________________________________
>>>>> Extend mailing list
>>>>> Extend at lists.ninenines.eu
>>>>> http://lists.ninenines.eu:81/listinfo/extend
>>>>
>>>>
>>>>
>>>> --
>>>> Loïc Hoguin
>>>> Erlang Cowboy
>>>> Nine Nines
>>>> http://ninenines.eu
>>
>>
>>
>> --
>> Loïc Hoguin
>> Erlang Cowboy
>> Nine Nines
>> http://ninenines.eu
>> _______________________________________________
>> Extend mailing list
>> Extend at lists.ninenines.eu
>> http://lists.ninenines.eu:81/listinfo/extend
>
>
> _______________________________________________
> Extend mailing list
> Extend at lists.ninenines.eu
> http://lists.ninenines.eu:81/listinfo/extend
>
>
>
> _______________________________________________
> Extend mailing list
> Extend at lists.ninenines.eu
> http://lists.ninenines.eu:81/listinfo/extend
>



-- 
Daniel White