Project

General

Profile

Actions

Keep-web flow » History » Revision 2

« Previous | Revision 2/4 (diff) | Next »
Peter Amstutz, 12/17/2015 09:22 PM


Keep-web flow

Keep-web serves files from Keep collections as normal HTTP documents.

Considerations:

We are serving arbitrary files, which can include HTML files with Javascript. We don't want serve these files as regular documents from Workbench, because this would expose a cross-site-scripting (XSS) attack where the HTML page is loaded and executed with the credentials of the viewing user.

This is mitigated two ways:

  1. By serving files with "content-disposition: attachment" which tells the browser to open up the download dialog straight away and don't try to show the files.
  2. Using separate a separate domain for downloading, so the browser won't send workbench cookies.

This raises the challenge: how to provide the API token to keep-web to enable download?

When user clicks on a workbench download link, they are redirected

Updated by Peter Amstutz over 6 years ago · 2 revisions