toolness
commented
11 years ago Hmm, so I'm realizing now that it's possible to embed basic auth information in the actual URLs, e.g.
{"evidence": [
{
"url": "http://user:pass@example.org/secure_image.jpg",
"mediaType": "image",
},
...
]}It looks like Firefox, Chrome, and Safari deal fine with <img> tags that point at such URLs, at the very least. Regular <a> links containing the credentials open in new browser windows with the credentials removed, so at least it's harder for the credentials to spread unintentionally. And aestimia currently deals with these URLs just fine.
Is that good enough to protect the confidentiality of the evidence?
I'm noticing that it is possible to right-click on such images/links and get the URL, which does contain the auth information, so it's still possible to share the URL. But again, once the URL is pasted in the address bar, the auth information immediately disappears.
iamjessklein
Sometimes, evidence content needs to be authenticated, or otherwise have certain headers, that Aestimia will need to send when requesting it.
To that end, I'd suggest adding an (optional) headers field to evidence objects, as follows:
Aestimia can then just echo back these headers when fetching the content.