-
HashBack
A web authentication exchange where a caller proves their identity by publishing a hash value on their website.
-
-
InfluxDB
Power Real-Time Data Analytics at Scale. Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.
Thank you just for reading it! I've opened an issue on the project at https://github.com/billpg/CrossRequestTokenExchange/issues/6
If I rewrite your scenario to check I understand it...
An attacker sets themselves up as an Initiator and registers https://evil.example/TimeOut/ as their URL to receive the TokenIssue POST requests. The attacker then makes a TokenCall request to which the Issuer responds by making the TokenIssue POST request to the malicious "time out" endpoint. As this never responds, that initial connection is kept open.
mTLS has warts when used cross-origin. Fetch spec says that pre-flight requests mustn't include client certificates[1], so as a consequence servers behind mTLS authenticated proxy won't get a chance to reply to those pre-flight. Yet for non-preflighted requests it's fine to include client certificates..
[1] https://fetch.spec.whatwg.org/#cors-protocol-and-credentials
Related posts
-
JavaScript fetch does not support GET request with body
-
How do I detect requests initiated by the new fetch standard? How should I detect an AJAX request in general?
-
Server Sent Events
-
[Express] - How to have a self-updating display in browser window? Template Engines sufficient? Or use Vue/Angular/React?]
-
My experience being blocked by Google Safe Browsing