not-kennethreitz/convore.json
1
0
Fork 0
mirror of https://github.com/not-kennethreitz/convore.json.git synced 2026-06-05 23:20:19 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
master
convore.json/groups/convore-api-developers/allow-cookie-auth-for-browser-extensions/messages.json
T
Kenneth Reitz add958b068 shuffle things around a bit
2012-02-21 01:15:00 -05:00

1 line
2.1 KiB
JSON
Raw Permalink Blame History

[{"user_id": 9907, "stars": [], "topic_id": 14070, "date_created": 1300630902.9116609, "message": "I wanted to put together a little notification-extension for chrome. Users would have to save their username and password in the preferences. When clicking a notification it could happen that they are not authenticated with the website.\nTo avoid this, could you check whether a user is already authenticated via cookie?", "group_id": 2780, "id": 392063}, {"user_id": 1, "stars": [], "topic_id": 14070, "date_created": 1300646819.796633, "message": "I understand the problem, but not quite the proposed solution here. Are you proposing adding cookie auth to the API endpoints?", "group_id": 2780, "id": 393156}, {"user_id": 9907, "stars": [], "topic_id": 14070, "date_created": 1300647168.9208419, "message": "If a user is already normally logged in via website, the API could just return results for that particular account without asking for http-auth again", "group_id": 2780, "id": 393167}, {"user_id": 209, "stars": [], "topic_id": 14070, "date_created": 1300648154.2742431, "message": "That seems dangerous, and vulnerable to cross-site script attacks though, unless I'm misunderstanding something.", "group_id": 2780, "id": 393243}, {"user_id": 1, "stars": [], "topic_id": 14070, "date_created": 1300686045.6126151, "message": "Yes, unfortunately while this would be very convenient, it's an XSS attack waiting to happen :(", "group_id": 2780, "id": 395552}, {"user_id": 9907, "stars": [], "topic_id": 14070, "date_created": 1300701067.938818, "message": "For an XSS attack i don't need to use the API endpoint. I could just use the calls the website uses.", "group_id": 2780, "id": 396918}, {"user_id": 9907, "stars": [], "topic_id": 14070, "date_created": 1300702229.2105551, "message": "The gmail notification extension is doing exactly this.", "group_id": 2780, "id": 396937}, {"user_id": 9907, "stars": [], "topic_id": 14070, "date_created": 1300901835.5751469, "message": "The bigger problem for XSS i see, is that JSONP was activated, as JSONP is intended to allow for cross-domain-data-exchange via Javascript...", "group_id": 2780, "id": 419103}]
Reference in New Issue View Git Blame Copy Permalink