Keep-web flow » History » Revision 2

« Previous | Revision 2/4 (diff) | Next »
Peter Amstutz, 12/17/2015 09:22 PM

Keep-web flow

Keep-web serves files from Keep collections as normal HTTP documents.


We are serving arbitrary files, which can include HTML files with Javascript. We don't want serve these files as regular documents from Workbench, because this would expose a cross-site-scripting (XSS) attack where the HTML page is loaded and executed with the credentials of the viewing user.

This is mitigated two ways:

  1. By serving files with "content-disposition: attachment" which tells the browser to open up the download dialog straight away and don't try to show the files.
  2. Using separate a separate domain for downloading, so the browser won't send workbench cookies.

This raises the challenge: how to provide the API token to keep-web to enable download?

When user clicks on a workbench download link, they are redirected

Updated by Peter Amstutz over 6 years ago · 2 revisions