[p2p-hackers] Re: [rest-discuss] Re: RESTful authorization
Tyler Close
tyler.close at gmail.com
Wed Sep 28 14:55:43 UTC 2005
Hi Antoine,
On 9/28/05, Antoine Pitrou <solipsis at pitrou.net> wrote:
> I'm curious as to how "capability URLs" can't be stolen and re-used by a
> malicious piece of Javascript like other URLs can.
Simply because a capability URL is unguessable. The blog page in our
previous example was able to do a GET on the spend page because it
knew the URL for the spend page. We block this attack by making all
URLs that represent authority be unguessable. Now, the only way for a
piece of code to use the authority is through someone who already has
the URL voluntarily passing it to that piece of code.
> I've tried to read
> the theoretical paper about "web calculus" but it's, well...
> theoretical ;) Is there a concrete example somewhere?
Yes, I've built an access controlled wiki. It's online at:
https://yurl.net/id/home
That page explains the details of the application.
> (I'm not on rest-discuss so I may have missed some parts of the
> discussion, so sorry if I'm asking redundant questions here)
There were some good questions asked on rest-discuss. You should read
the archives that Lucas referred to in his cross post to p2p-hackers.
Thanks for the questions.
Tyler
--
The web-calculus is the union of REST and capability-based security:
http://www.waterken.com/dev/Web/
Name your trusted sites to distinguish them from phishing sites.
https://addons.mozilla.org/extensions/moreinfo.php?id=957
More information about the P2p-hackers
mailing list