- May 2023
-
Tags
- wikipedia:en=Cross-site_request_forgery
- sri
- http
- wikipedia:en=Clickjacking
- http:header=referrer-policy
- wikipedia:en=Data_breach
- wikipedia:en=Man-in-the-middle_attack
- csp
- hsts
- http:header=x-frame-options
- http:header=strict-transport-security
- wikipedia:en=Session_hijacking
- security
- http:header=x-content-type-options
- http:header=content-security-policy
Annotators
URL
-
- Dec 2022
-
www.facebook.com www.facebook.com
-
2NO POST FROM FAN PAGES / ARTICLES / VIDEO LINKSOur mission is to cultivate the highest quality content inside the group. If we allowed videos, fan page shares, & outside websites, our group would turn into spam fest. Original written content only
-
1NO POSTING LINKS INSIDE OF POST - FOR ANY REASONWe've seen way too many groups become a glorified classified ad & members don't like that. We don't want the quality of our group negatively impacted because of endless links everywhere. NO LINKS
-
- Sep 2022
-
developer.mozilla.org developer.mozilla.org
-
The server possibly can send back a 406 (Not Acceptable) error code when unable to serve content in a matching language. However, such a behavior is rarely implemented for a better user experience, and servers often ignore the Accept-Language header in such cases.
-
- Aug 2022
-
www.uml-diagrams.org www.uml-diagrams.org
-
The interaction operator strict requires a strict sequencing (order) of the operands on the first level within the combined fragment
-
Weak sequencing reduces to a parallel merge when the operands are on different sets of participants. Weak sequencing reduces to strict sequencing when the operands work on the same participant.
weak sequencing - reduces to: - or: - parallel (simultaneous) - strict sequencing
-
- Jan 2022
-
stackoverflow.com stackoverflow.com
-
Hi, it seems as though you have multiple questions: you should separate these into multiple posts.
A multi-question post would be perfectly appropriate in a forum or mailing list. Seems a bit too strict to not allow something like this, where one has multiple related questions.
-
-
www.rfc-editor.org www.rfc-editor.org
-
The server generating a 401 response MUST send a WWW-Authenticate header field (Section 4.1) containing at least one challenge applicable to the target resource.
Meaning that 99% of the people use it are using it "wrong" because they're not using it for HTTP authentication and don't send a WWW-Authenticate header field with their 401 response?
Hmm. That's a tough one. On the one hand, the spec does say they must send it.
Initial opinion
But on the other hand, one could argue that that requirement only applies if using 401 for HTTP authentication. And that saying it's wrong to do so (as they claim at https://stackoverflow.com/questions/3297048/403-forbidden-vs-401-unauthorized-http-responses/14713094#14713094 and https://hyp.is/JA45zHotEeybDdM_In4frQ/stackoverflow.com/questions/3297048/403-forbidden-vs-401-unauthorized-http-responses) is having a too strict/narrow/literal interpretation.
HTTP is meant to be used widely in many very different uses and contexts, most of which do not use this very specific HTTP authentication scheme; my opinion is that they shouldn't be denied from using it, just because they don't have anything useful WWW-Authenticate header field. (Or (which is also fine with me), just put something "emptyish" in the field, like "Unused". Unless that would trigger a Basic auth modal in the browser, in which case we shouldn't, for practical reasons.)
Why shouldn't we be able to repurpose this same status code for uses that are still authentication, but just not HTTP authentication per se?
Is it really wrong to repurpose this useful status code for other contexts, like cookie-based app-defined authentication systems?
I say that it's okay to repurpose/reuse 401 for any authentication system (that uses HTTP as a part of it, even though not using HTTP's own authentication system), as long as we try to maintain the same semantic as originally intended/described here. I think it's okay to use 401 as a response to a XHR request, and then have the client redirect to a login page, which provides a way to authenticate again (reattempt the authentication challenge), analogous to how it works for HTTP authentication.
Revised opinion
https://stackoverflow.com/questions/3297048/403-forbidden-vs-401-unauthorized-http-responses/14713094#14713094 has made me change my mind and convinced me that...
Authentication by schemes outside of (not defined by) RFC7235: Hypertext Transfer Protocol (HTTP/1.1): Authentication should not use HTTP status 401, because 401 Unauthorized is only defined (by current RFCs) by RFC7235: Hypertext Transfer Protocol (HTTP/1.1): Authentication, and has semantics and requirements (such as the requirement that "A server generating a 401 (Unauthorized) response MUST send a WWW-Authenticate header field containing at least one challenge.") that simply don't make sense or cannot be fulfilled if using a non-HTTP authentication scheme.
403 Forbidden, on the other hand, is defined by the broader HTTP standard, in RFC7231: Hypertext Transfer Protocol (HTTP/1.1): Semantics and Content and RFC7235: Hypertext Transfer Protocol (HTTP/1.1): Authentication.
In conclusion, if you have your own roll-your-own login process and never use HTTP Authentication, 403 is always the proper response and 401 should never be used.
Couldn't a custom auth system use WWW-Authenticate header?
The question was asked:
Doesn't RFC7235 provide for "roll-your-own" or alternate auth challenges? Why can't my app's login flow present its challenge in the form of a WWW-Authenticate header? Even if a browser doesn't support it, my React app can...
And I would say sure, if you want (and if the browser doesn't automatically show a Basic auth modal in this case and thwart your plans).
They might be on to something here with that question!
But that should probably be the test of whether you can/should use 401: are you actually using WWW-Authenticate header?
Indeed I found an example where it is used for OAuth2.
-
-
stackoverflow.com stackoverflow.com
-
Authentication by schemes outside of RFC2617 is not supported in HTTP status codes and are not considered when deciding whether to use 401 or 403.
What does "are not considered when deciding whether to use 401 or 403" mean exactly? What exactly should not be considered, and what exactly should be considered instead? In other words, how did someone arrive at the conclusion that "if you have your own roll-your-own login process and never use HTTP Authentication, 403 is always the proper response and 401 should never be used."? Why is 403 okay to use for non-HTTP authentication, but not 401?
Oh, I think I understand the difference now.
They should have said:
Authentication by schemes outside of (not defined by) RFC7235: Hypertext Transfer Protocol (HTTP/1.1): Authentication should not use HTTP status 401, because 401 Unauthorized is only defined (by current RFCs) by RFC7235: Hypertext Transfer Protocol (HTTP/1.1): Authentication, and has semantics and requirements (such as the requirement that "A server generating a 401 (Unauthorized) response MUST send a WWW-Authenticate header field containing at least one challenge.") that simply don't make sense or cannot be fulfilled if using a non-HTTP authentication scheme.
403 Forbidden, on the other hand, is defined by the broader HTTP standard, in RFC7231: Hypertext Transfer Protocol (HTTP/1.1): Semantics and Content and RFC7235: Hypertext Transfer Protocol (HTTP/1.1): Authentication.
In conclusion, if you have your own roll-your-own login process and never use HTTP Authentication, 403 is always the proper response and 401 should never be used.
See also my comments in https://hyp.is/p1iCnnowEeyUPl9PxO8BuQ/www.rfc-editor.org/rfc/rfc7235
-
The statement is "If the request already included Authorization credentials". That means if this is a response from a request which provided the credential (e.g. the response from a RFC2617 Authentication attempt). It is essentially to allow the server to say, "Bad account/password pair, try again". In the posed question, the user is presumably authenticated but not authorized. 401 is never the appropriate response for those circumstances.
See my comments in https://hyp.is/p1iCnnowEeyUPl9PxO8BuQ/www.rfc-editor.org/rfc/rfc7235
-
401 is only appropriate for HTTP Authentication
-
-
datatracker.ietf.org datatracker.ietf.orgrfc72351
-
The server generating a 401 response MUST send a WWW-Authenticate header field (Section 4.1) containing at least one challenge applicable to the target resource.
Moved this comment to: https://hyp.is/p1iCnnowEeyUPl9PxO8BuQ/www.rfc-editor.org/rfc/rfc7235
-
- Jul 2021
-
psyarxiv.com psyarxiv.com
-
Warmerdam, R., Wiersma, H. H., Lanting, P., Dijkema, M. X. L., Vonk, J. M., Boezen, M. H. M., Deelen, P., & Franke, L. (2021). Increased genetic contribution to wellbeing during the COVID-19 pandemic. PsyArXiv. https://doi.org/10.31234/osf.io/uksxt
-
-
developer.mozilla.org developer.mozilla.org
-
All safe methods are also idempotent, but not all idempotent methods are safe. For example, PUT and DELETE are both idempotent but unsafe.
-
- May 2021
-
-
Soo, Z. (2021, May 14). Singapore tightens COVID-19 measures, travel bubble unlikely. Coronavirus. https://www.ctvnews.ca/health/coronavirus/singapore-tightens-covid-19-measures-travel-bubble-unlikely-1.5427967
-
-
www.swissinfo.ch www.swissinfo.ch
-
Keystone-SDA/gw. (n.d.). Emergency care workers urge Swiss government to act as Covid cases soar. SWI Swissinfo.Ch. Retrieved 1 March 2021, from https://www.swissinfo.ch/eng/emergency-care-workers-urge-swiss-government-to-act-as-covid-cases-surge/46103186
-
- Apr 2021
-
unix.stackexchange.com unix.stackexchange.com
-
The question on the title: replace space with new line The simple, quick, brute force solution is to do exactly that, replace all spaces with new lines:
-
- Feb 2021
-
twitter.com twitter.com
-
Kit Yates. (2021, January 22). Is this lockdown 3.0 as tough as lockdown 1? Here are a few pieces of data from the @IndependentSage briefing which suggest that despite tackling a much more transmissible virus, lockdown is less strict, which might explain why we are only just keeping on top of cases. [Tweet]. @Kit_Yates_Maths. https://twitter.com/Kit_Yates_Maths/status/1352662085356937216
-
-
psyarxiv.com psyarxiv.com
-
Urminsky, O., & Bergman, A. (2021). The Masked Majority: Underprediction Of Widespread Support For Covid-19 Safety Policies. PsyArXiv. https://doi.org/10.31234/osf.io/fhdkv
-
- Jan 2021
-
www.facebook.com www.facebook.com
-
Group Rules from the Admins1NO POSTING LINKS INSIDE OF POST - FOR ANY REASONWe've seen way too many groups become a glorified classified ad & members don't like that. We don't want the quality of our group negatively impacted because of endless links everywhere. NO LINKS2NO POST FROM FAN PAGES / ARTICLES / VIDEO LINKSOur mission is to cultivate the highest quality content inside the group. If we allowed videos, fan page shares, & outside websites, our group would turn into spam fest. Original written content only3NO SELF PROMOTION, RECRUITING, OR DM SPAMMINGMembers love our group because it's SAFE. We are very strict on banning members who blatantly self promote their product or services in the group OR secretly private message members to recruit them.4NO POSTING OR UPLOADING VIDEOS OF ANY KINDTo protect the quality of our group & prevent members from being solicited products & services - we don't allow any videos because we can't monitor what's being said word for word. Written post only.
Wow, that's strict.
-
- Nov 2020
-
stackoverflow.com stackoverflow.com
-
This definition is actually a strict subset of the first definition: as the same script must (by definition) run inside both a server/Node.js context, but also a browser DOM context
-
- May 2019
-
oll.libertyfund.org oll.libertyfund.org
-
Paduans
Paduans is a Venetian Italian city that was founded by the Trojan price Antenor in 1185 B.C after the destruction of Troy. Antenor who was the founder of the city was said to be a tradior of the Trojans and he delivered Palladio who was the tailsmans of troy to Odysseus and Diomedes and in exchange he recieved salvation for himself and his family. Today Paduans in known to be one of the most beautiful cities in Veneto.
Tags
Annotators
URL
-
- Feb 2018