You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I've detailed this quite a bit on the cs-raven-discuss mailing list (issue affected almost all client libraries).
If Alice visits eve.com and logs in with Raven then they expect that eve should not be able to reuse the raven token to authenticate as Alice on another site (which is the entire point of including the URL in the signed token). Eve can simply spoof the Host header on servers that are not configured for virtual hosts (e.g. the CL site) and trick the target site into thinking it is eve.com (and thus accept the token).
pass in some "trusted hosts" as a configuration value (attempts to raven auth to URLs not on the trusted hosts will fail
set a flag to trust all hosts (with a clear warning that this should only be used on servers that have been correctly configured to reject all but the expected hosts and that some servers will blindly parse other headers like X-Forwarded-Host so you have to be extra extra sure you know what you are doing.
The text was updated successfully, but these errors were encountered:
I've detailed this quite a bit on the cs-raven-discuss mailing list (issue affected almost all client libraries).
If Alice visits eve.com and logs in with Raven then they expect that eve should not be able to reuse the raven token to authenticate as Alice on another site (which is the entire point of including the URL in the signed token). Eve can simply spoof the Host header on servers that are not configured for virtual hosts (e.g. the CL site) and trick the target site into thinking it is eve.com (and thus accept the token).
The way that the python library and my own wordpress plugin/php library are solving this (wordpress plugin not finished yet) is to require that the user either:
The text was updated successfully, but these errors were encountered: