Re: setting headers in JS for HTTP Signature

On 2015-11-09 19:32, henry.story@bblfish.net wrote:
>
>> On 8 Nov 2015, at 11:17, henry.story@bblfish.net wrote:
>>
>> I have opened an issue on the whatwg Fetch issues list to see if
>> they can add a function to allow one to access the headers before
>> they get sent, so that one could actually sign as many of the
>> headers possible.
>>
>> https://github.com/whatwg/fetch/issues/156
>
> On irc annevk wrote (unofficially I suppose):
>
>> yeah I looked at that and that doesn't seem like something we'll address anytime soon
>> the headers to be transmitted are in the network stack which is mostly post-Fetch
>> although it's all a bit gobbled up admittedly since the standards are a bit post-implementation
>
> That's not that surprising.
>
> So as we can't get the Date or things that may play the role of a nonce, what do we do?
>
> WebID-RSA ( https://github.com/solid/solid-spec#webid-rsa ) has the server send a nonce. Though I am not sure how the server would remember which nonce was sent. Also the
> lack of a date seems to make it open to replay attacks. ( which is why having access to the date in the Signature is quite important. )
>
> With HTTP Signatures we can get something like the WebID by passing a User header with the WebID. But we'd need to find a way to add an extra date header, which I suppose should never be
> more than a few seconds out of sync with the real date header.
>
> Any ideas?

Forgive my ignorance but I don't understand the problem.

Since SOP is ruling, I don't see how you could get hold of the WebID in the first place
unless it is the origin site requesting (which already should know about it).

Anders

>
>
> annevk also wrote ( first impression - but its always interesting to collect those )
>> That draft seems to sorta skip over justification for why it's a good idea to begin with
>
> Anyway, he's thinking about it. But even if they do advance we'd need something we can use now.
>
>
> Henry
>
>

Received on Monday, 9 November 2015 19:02:50 UTC