Outgoing websession requests should be allowed to set Authorization headers

sandstorm-io / sandstorm

Sandstorm is a self-hostable web productivity suite. It's implemented as a security-hardened web app package manager.

https://sandstorm.io

Other

6.72k stars 705 forks source link

Outgoing websession requests should be allowed to set Authorization headers #3418

Open abliss opened 4 years ago

abliss commented 4 years ago

I'd like to use this to allow my matrix grain to speak to other matrix servers on the internet. CC @zenhack

kentonv commented 4 years ago

FWIW I think right now in the powerbox UI the user can specify a webkey which causes the capability to add an Authorization header to all requests. But the app itself cannot set the header.

For use cases where this flow works, it's nice that the app doesn't get to see the token, therefore cannot leak it.

abliss commented 4 years ago

That is a nice feature for certain use-cases. But (a) the matrix auth header is supposed to use X-Matrix rather than Bearer as the first word, and (b) its token is generated by signing a message with a private key that synapse expects to manage inside the grain.