Programmer Humor

32031 readers

1280 users here now

Post funny things about programming here! (Or just rant about your favourite programming language.)

Rules:

Posts must be relevant to programming, programmers, or computer science.
No NSFW content.
Jokes must be in good taste. No hate speech, bigotry, etc.

founded 5 years ago

MODERATORS

[email protected]

249

SPAs were a mistake (lemmy.world)

submitted 9 months ago by [email protected] to c/[email protected]

23 comments fedilink hide all child comments

you are viewing a single comment's thread
view the rest of the comments

[–] [email protected] -5 points 9 months ago (2 children)

The point of the cookies being HttpOnly is that it makes them completely inaccessible to client side JavaScript, making a whole load of session hijack/XSS attacks impossible.

The request for a bearer token here circumvents this protection because then there's a way for a client to avoid cookies all together, making the API vulnerable again.

[–] [email protected] 12 points 9 months ago* (last edited 9 months ago)

Under what circumstance would a web client need to send an Authorization header at all? The browser sends the cookie and the server treats that as equivalent.

Malicious JavaScript in that case could theoretically forge a request using an auth token it acquired some other way by sending it as Authorization: Bearer in addition to the cookie, but 1) this would be extremely easy to defend against (just check for the cookie before you check the Authorization header) and 2) it would still not allow malicious JS code to access the user's auth token which was still stored in an HTTP only cookie, or really do anything that server side code (read: script kiddie scripts) couldn't, apart from sending a request from the web client's IP address.

[–] [email protected] 10 points 9 months ago

it makes them completely inaccessible to client side JavaScript

Dude literally said to do this for browser clients, and only support bearer tokens for non browser clients.