Do you think the bank has discovered mystery event marketing? Or that buggy javascript strikes again?

Is this a clever marketing campaign? or buggy javascript?

View Results

Loading ... Loading ...

Prepping for the new office. I got a heavy bike, why not put some cargo on? On the back you can see a UPS (standard lead+acid battery style) and some mounting brackets, in the back is the 6-port mini-pc that will be the router + the tablet to configure it. Adds about 35kg to the back of the bike.

Gotta say, stability not improved by that much weight over and behind the rear axel. Braking was also not the speediest.

Jury is still out on whether plugging the charger in to the UPS and then into the bike battery would improve range. I'll leave you to try 🙂

 

Situation: many stackoverflow posts etc wringing hands about missing ability to number paragraphs.

Solution: write it.

You're welcome.

Now you can write a Patent, using Google Docs, collaborate with your team (including your Patent Attorney), and add the paragraph numbering when needed.

 

So I spent a bit of time debugging something this am, and I thought I would share. Its super detailed, so feel free to gloss over.

There is a class of browser-security issues addressed by CORS. They are meant to prevent inadvertent (or malicious) cross-origin resource sharing. E.g. some javascript in your current web page posts a password.

I am using Istio. It magically takes the CORS origin and rewrites it. So if you do a:

GET /
Origin: foo

then it will respond:

200 OK
Access-Control-Allow-Origin: *

*if* its configured for '*' policy.

Now, the problem is, I have two clients that are using OpenID Connect. They are fetching the keys for jwks validation. They run in the same browser. One of them does:

GET /keys
Origin: app-1

the other does

GET /keys
Origin: app-2

Unfortunately, the browser *caches* the 2nd response, returning the response app-1 got (with the wrong Access-Control-Allow-Origin) in it.

Why? Well, let's dive into some specs. Here we find the answer.

If CORS protocol requirements are more complicated than setting `Access-Control-Allow-Origin` to * or a static origin, `Vary` is to be used. [HTML] [HTTP] [HTTP-SEMANTICS] [HTTP-COND] [HTTP-CACHING] [HTTP-AUTH]

Huh. I'm supposed to add a 'Vary' header to these. But, sadly, I am not in control of these applications. What is one to do? RTFC for envoy?

To work around Vary Origin header in apps needing CORS, I should:

View Results

Loading ... Loading ...

Apply early, apply often, tell all your friends, particularly if they want to get down and dirty with the inner workings of the big fluffy cloud called computing.

https://www.workintech.ca/job-details/10757/cloud-security-hacker/

And while I'm begging, feel free to follow us in Linkedin. Or Twitter. or why not both!

 

Top