Draft CORS guidance for an IVOA JSON protocol
Mark Taylor
m.b.taylor at bristol.ac.uk
Fri May 24 00:02:18 CEST 2024
Russ,
On Thu, 23 May 2024, Russ Allbery via grid wrote:
> Non-browser x-www-form-urlencoded clients are much easier to handle than
> this because non-browser clients almost certainly don't authenticate with
> cookies and CSRF issues only apply to cooke-based authentication. Since
> non-browser clients send Authorization headers, they can be distinguished
> on the server side from browsers and their requests can be passed through
> without requiring CSRF protection.
In fact that's not the case, non-browser clients in the VO may
authenticate using cookies. The recommended way to do authenticated
access to e.g. the Gaia archive at ESAC is using cookies via curl:
https://www.cosmos.esa.int/web/gaia-users/archive/programmatic-access#Sect_2$
TOPCAT also uses cookies for authenticated access to the same service,
and potentially to other services that advertise a www-authenticate
scheme of "ivoa_cookie" (this arrangement is still in the process
of standardisation).
Mark
--
Mark Taylor Astronomical Programmer Physics, Bristol University, UK
m.b.taylor at bristol.ac.uk https://www.star.bristol.ac.uk/mbt/
More information about the grid
mailing list