[99s-extend] Cowboy Calling Hostname

Lee Sylvester lee.sylvester at gmail.com
Thu Oct 10 08:05:23 CEST 2013
Previous message: [99s-extend] Cowboy Calling Hostname
Next message: [99s-extend] SSL Example
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Thank you, Daniel.  The project looks very useful.  At this stage, I don't need to strictly require calls to come from a set domain but would like this to be a hurdle for hackers.  I may set up an IP restriction instead.

Thanks,
Lee

Sent from my iPhone

> On Oct 10, 2013, at 12:03 AM, Daniel White <daniel at whitehouse.id.au> wrote:
> 
> Depending on your requirements, there is a high likelihood that you
> need to support pre-flight requests.  Especially if you're intending
> on providing credentials in the requests.  Many of the interesting
> headers are not simple headers (for CORS) and require a handshake
> first between browser and server to ensure the headers in question are
> allowed to be sent.
> 
> This obviously limits the amount of information you can determine
> about the caller.  One alternative here, is the use of OAuth2 with the
> 'access_token' query parameter.  This can be sent along with the
> pre-flight request.
> 
> On the other hand, some providers (Github, IIRC) will simply validate
> a CORS request by comparing the 'Origin' against their entire list of
> registered origins.  This opens up some opportunity for abuse by other
> clients in the system, but can be further mitigated by enforcing the
> 'Origin' more strictly at the authorization step of the request.
> 
> As an aside, I have a cowboy middleware project to do the heavy
> lifting for CORS at https://github.com/danielwhite/cowboy_cors.
> Business policies can be implemented by means of a callback module.
> 
> Cheers,
> 
> 
>> On Thu, Oct 10, 2013 at 4:28 AM, Lee Sylvester <lee.sylvester at gmail.com> wrote:
>> Essentially, the REST service endpoint would be on widgets.net while the
>> clients website, in this case things.com, has a JavaScript that makes an
>> AJAX call to widgets.net.  The account on widgets.net for things.com will
>> have the things.com domain registered to its account, so that widgets.net
>> can check to see if the request is coming from an expected domain.
>> 
>> Thanks,
>> Lee
>> 
>> 
>> On 9 Oct 2013, at 16:51, Nathan Michaels <nathan at nmichaels.org> wrote:
>> 
>> Is the client making the request to your service on widgets.net because
>> things.com sent them there, or is things.com making the request directly on
>> behalf of the client? The first is what Loïc is talking about. The second is
>> the source IP of the request, which you can definitely get.
>> 
>> 
>>> On Wed, Oct 9, 2013 at 11:32 AM, Loïc Hoguin <essen at ninenines.eu> wrote:
>>> 
>>> In short: you can't.
>>> 
>>> Browsers may send origin/referer/.. headers depending on the type of
>>> request, but you can't rely on them to be real or even just there.
>>> 
>>> 
>>>> On 10/09/2013 05:30 PM, Lee Sylvester wrote:
>>>> 
>>>> Thank you.  I couldn't work out if that's the host being called from or
>>>> the host name in the request.  For example, a store called things.com makes
>>>> a request to my service on widgets.net.  I need to see that the request is
>>>> made FROM things.com for validation purposes. Is it correct that host will
>>>> provide this?
>>>> 
>>>> Thanks,
>>>> Lee
>>>> 
>>>> Sent from my iPhone
>>>> 
>>>>> On Oct 9, 2013, at 2:31 PM, Loïc Hoguin <essen at ninenines.eu> wrote:
>>>>> 
>>>>> cowboy_req:host/1?
>>>>> 
>>>>> Please use the nice manual we have now.
>>>>> 
>>>>>  http://ninenines.eu/docs/en/cowboy/HEAD/manual/cowboy_req
>>>>> 
>>>>>> On 10/09/2013 03:27 PM, Lee Sylvester wrote:
>>>>>> Hi,
>>>>>> 
>>>>>> When receiving a Cowboy request, is there a way to find out which
>>>>>> hostname the user made the request from?  I'm using CORS in my REST and
>>>>>> Bullet app, where each call can be made through a given account.  However,
>>>>>> I'd like to be able to lock requests for each account to a designated
>>>>>> hostname to protect that users account usage.
>>>>>> 
>>>>>> Thanks,
>>>>>> Lee
>>>>>> 
>>>>>> _______________________________________________
>>>>>> Extend mailing list
>>>>>> Extend at lists.ninenines.eu
>>>>>> http://lists.ninenines.eu:81/listinfo/extend
>>>>> 
>>>>> 
>>>>> 
>>>>> --
>>>>> Loïc Hoguin
>>>>> Erlang Cowboy
>>>>> Nine Nines
>>>>> http://ninenines.eu
>>> 
>>> 
>>> 
>>> --
>>> Loïc Hoguin
>>> Erlang Cowboy
>>> Nine Nines
>>> http://ninenines.eu
>>> _______________________________________________
>>> Extend mailing list
>>> Extend at lists.ninenines.eu
>>> http://lists.ninenines.eu:81/listinfo/extend
>> 
>> 
>> _______________________________________________
>> Extend mailing list
>> Extend at lists.ninenines.eu
>> http://lists.ninenines.eu:81/listinfo/extend
>> 
>> 
>> 
>> _______________________________________________
>> Extend mailing list
>> Extend at lists.ninenines.eu
>> http://lists.ninenines.eu:81/listinfo/extend
> 
> 
> 
> -- 
> Daniel White
Previous message: [99s-extend] Cowboy Calling Hostname
Next message: [99s-extend] SSL Example
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
More information about the Extend mailing list