Draft CORS guidance for an IVOA JSON protocol
Russ Allbery
eagle at eyrie.org
Fri May 24 00:19:22 CEST 2024
Mark Taylor <m.b.taylor at bristol.ac.uk> writes:
> On Thu, 23 May 2024, Russ Allbery via grid wrote:
>> Non-browser x-www-form-urlencoded clients are much easier to handle
>> than this because non-browser clients almost certainly don't
>> authenticate with cookies and CSRF issues only apply to cooke-based
>> authentication. Since non-browser clients send Authorization headers,
>> they can be distinguished on the server side from browsers and their
>> requests can be passed through without requiring CSRF protection.
> In fact that's not the case, non-browser clients in the VO may
> authenticate using cookies. The recommended way to do authenticated
> access to e.g. the Gaia archive at ESAC is using cookies via curl:
> https://www.cosmos.esa.int/web/gaia-users/archive/programmatic-access#Sect_2$
> TOPCAT also uses cookies for authenticated access to the same service,
> and potentially to other services that advertise a www-authenticate
> scheme of "ivoa_cookie" (this arrangement is still in the process of
> standardisation).
Ah! Thank you, I had not realized that. So in that case a CSRF
protection mechanism is potentially also of interest to TOPCAT.
--
Russ Allbery (eagle at eyrie.org) <https://www.eyrie.org/~eagle/>
More information about the grid
mailing list