[Cosmo-dev] CMP and AJAX
Brian Moseley
bcm at osafoundation.org
Wed Sep 20 20:27:25 PDT 2006
On 9/20/06, Brian Moseley <bcm at maz.org> wrote:
> On 9/19/06, Matthew Eernisse <mde at osafoundation.org> wrote:
>
> > Option 2 - Manually do Basic Authentication for every CMP request
> >
> > Manually setting the Authorization header with XHR seems to work great
> > in all our supported browsers (miraculously, even in Safari). I was
> > testing with my own XHR library, but Dojo's io.bind lets you do the same
> > thing easily by setting headers in kwArgs["headers"].
> >
> > You get no irritating authentication dialog box, and the browser doesn't
> > cache the credentials, so logging out of the app isn't a problem. This
> > seems like the nicest solution if we can get over the security hurdles.
> >
> > It does seem like you'd have to have the password sitting somewhere on
> > the client to do this with basic auth. It could be just a JS variable,
> > and you could even just save the base64-encoded 'username:password'
> > string, so it's not human-readable, but that's likely not sufficient. We
> > could probably do some other stuff too to make it pretty irritating to
> > try to retrieve, but in the end anyone with access to a JS shell and
> > knowledge of the source code could grab someone's password if the person
> > left themselves logged in.
>
> for the record, this is the approach i favor. i am not worried about
> defending against an attacker with a js shell - if he's already at the
> keyboard with an in-process cosmo session, he doesn't need to steal
> the password, cos he's already in ;)
>
More information about the cosmo-dev
mailing list