[PATCH cube signedrequest] Support new protocol version for signed requests coming from a browser

Denis Laxalde denis.laxalde at logilab.fr
Thu Jun 20 09:40:38 CEST 2019

Laurent Wouters a écrit :
> # HG changeset patch
> # User Laurent Wouters <lwouters at cenotelie.fr>
> # Date 1560950479 -7200
> #      Wed Jun 19 15:21:19 2019 +0200
> # Node ID 48171b698f460abe8a9da2acb5091c8219c432ff
> # Parent  9cf3d9ab91e3fd3b3dda51991e73859cbce2abda
> Support new protocol version for signed requests coming from a browser

(I haven't read the patch in details but only have a few general comments.)

> The current protocol for signed request requires the use of the Date HTTP
> header. Although this works fine for clients that have full control over the
> HTTP headers they send, this is not working in the context of web browser where
> the Date HTTP headers are forbidden to be programmatically set (and therefore
> used in any meaningful way)
> https://developer.mozilla.org/en-US/docs/Glossary/Forbidden_header_name

I'm a bit surprised that one may want to allow an application to use
signed requests from the browser. Can't this be achieve through proper
CORS configuration? Can you provide more details on the intended usage?

> To avoid this issue, this changeset introduces a new protocol version that use
> custom HTTP headers (X-Cubicweb-Foo) for non-standard, or otherwise forbidden
> HTTP headers. Instead of a date, this version of the protocol relies on the
> client generating a cryptographically-secured nonce that is passed in a header
> and included in the signature computation.

I think we'll need a bit more details on the security aspects of this
proposal. I'd, for one, appreciate any kind of external references
demonstrating that this is a good practice.

More information about the cubicweb-devel mailing list