Re: Semi-public resources in Uniform Messaging

On Wed, 9 Dec 2009, Tyler Close wrote:
> On Wed, Dec 9, 2009 at 7:43 AM, Ian Hickson <ian@hixie.ch> wrote:
> > Ok, let's move on to a more complex case.
> >
> > Consider a static resource that is protected by a cookie authentication
> > mechanism. For example, a per-user static feed updated daily on some
> > server by some automated process. The server is accessible on the public
> > Web. The administrator of this service has agreements with numerous
> > trusted sites, let's say a dozen sites, which are allowed to fetch this
> > file using XHR (assuming the user is already logged in). The sites that
> > fetch this file do not require authentication (e.g. one could be my portal
> > page, which is just a static HTML page, without any server-side script).
> > Other sites must not be allowed access to the file.
> >
> > How does one configure the server to handle this case?
> 
> Again going with the simplest thing that could possibly work:
> 
> Each of the per-user static feeds is referenced by a unique
> unguessable URL of the same format used in the previous example. For
> example,
> 
> https://example.com/user123/?s=42tjiyrvnbpoal
> https://example.com/user456/?s=sdfher34nvl34
> ...
> 
> Again, a GET response from such a URL carries the same-origin opt-out 
> header.
> 
> The user gives this URL only to those services he wants to access the 
> feed. For example, you could copy this URL into your personal static 
> HTML page that acts as your portal.

I think asking users to pass around secret tokens is a non-starter.

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'

Received on Wednesday, 9 December 2009 18:11:08 UTC