this post was submitted on 12 Dec 2023
248 points (95.9% liked)
Programmer Humor
32453 readers
762 users here now
Post funny things about programming here! (Or just rant about your favourite programming language.)
Rules:
- Posts must be relevant to programming, programmers, or computer science.
- No NSFW content.
- Jokes must be in good taste. No hate speech, bigotry, etc.
founded 5 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
Under what circumstance would a web client need to send an
Authorization
header at all? The browser sends the cookie and the server treats that as equivalent.Malicious JavaScript in that case could theoretically forge a request using an auth token it acquired some other way by sending it as
Authorization: Bearer
in addition to the cookie, but 1) this would be extremely easy to defend against (just check for the cookie before you check theAuthorization
header) and 2) it would still not allow malicious JS code to access the user's auth token which was still stored in an HTTP only cookie, or really do anything that server side code (read: script kiddie scripts) couldn't, apart from sending a request from the web client's IP address.