Programmer Humor

32443 readers

1757 users here now

Post funny things about programming here! (Or just rant about your favourite programming language.)

Rules:

Posts must be relevant to programming, programmers, or computer science.
No NSFW content.
Jokes must be in good taste. No hate speech, bigotry, etc.

founded 5 years ago

MODERATORS

[email protected]

247

SPAs were a mistake (lemmy.world)

submitted 11 months ago by [email protected] to c/[email protected]

23 comments fedilink hide all child comments

you are viewing a single comment's thread
view the rest of the comments

[–] [email protected] 32 points 11 months ago (6 children)

It's a security thing. The HttpOnly cookie can't be stolen using XSS or something like that, while a bearer token must be stored somewhere where javascript can see it.

[–] [email protected] 8 points 11 months ago* (last edited 11 months ago) (3 children)

Okay.

So make your webpage send the authtoken in a cookie and leave off the Authorization header, and have your third party (presumably native) clients send an Authorization header but not any cookies, and write your server software to check for both.

This seems trivial. What am I missing?

[–] [email protected] -5 points 11 months ago (2 children)

The point of the cookies being HttpOnly is that it makes them completely inaccessible to client side JavaScript, making a whole load of session hijack/XSS attacks impossible.

The request for a bearer token here circumvents this protection because then there's a way for a client to avoid cookies all together, making the API vulnerable again.

[–] [email protected] 10 points 11 months ago

it makes them completely inaccessible to client side JavaScript

Dude literally said to do this for browser clients, and only support bearer tokens for non browser clients.

load more comments (1 replies)

load more comments (3 replies)