[oae-production] [oae-dev] Server Protection Service HMAC creation breaks when app and content server are both on SSL
Daniel Parry
daniel at caret.cam.ac.uk
Tue Oct 4 06:36:13 PDT 2011
On Mon, Oct 03, 2011 at 09:58:04AM -0700, Ray Davis wrote:
> Also, worried operations staff may prefer to give untrusted content its
> own dedicated virtual host name, since the cookie same-origin policy
> does not mandate paying attention to protocol or port number. In
> particular, I've seen browsers "in the wild" ignore port numbers, which
> means that trusted cookies at "https://example.edu:443/" would leak into
> untrusted URLs at "https://example.edu:446/".
So, in the deployment instructions, stipulate that the content
node should have its own virtual host name and drop the protocol
and any port specification from HMAC comparisons, would seem to
make this slightly simpler to me?
Best wishes,
Daniel
--
--| Daniel Parry: daniel at caret.cam.ac.uk. www.caret.cam.ac.uk/ |--
"He who has done his best for his own time
has lived for all times." [Johann von Schiller, Playwright]
More information about the oae-production
mailing list