|
tps: i be all like "GET /" and the client app says "cant GET /" and i just have to sit here and imagine why i can't GET / because my browser's certainly not gonna tell me, and there's no precious logging to help me out either.
|
# ? Apr 30, 2019 19:06 |
|
|
# ? Jan 18, 2025 18:23 |
|
HoboMan posted:tps: i be all like "GET /" and the client app says "cant GET /" and i just have to sit here and imagine why i can't GET / because my browser's certainly not gonna tell me, and there's no precious logging to help me out either. https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS the quote:Who should read this article? really should be followed by quote:Who actually reads this article? it may well be some other reason but i am astounded by how many people who work with web apps have just somehow never heard of cors and have never looked at dev tools to see the big angry 'hey you should check out cors' warning that pops up when its constraints arent satisfied.
|
# ? Apr 30, 2019 21:39 |
|
u can just put * everywhere and then the errors go away
|
# ? Apr 30, 2019 21:44 |
|
HoboMan posted:tps: i be all like "GET /" and the client app says "cant GET /" and i just have to sit here and imagine why i can't GET / because my browser's certainly not gonna tell me, and there's no precious logging to help me out either. GET /out
|
# ? Apr 30, 2019 21:50 |
|
I just had a pull request accepted to tinkerpop gremlin, it's my first open sores contribution. It was literally 1 character but fixed a bug where the graph database client would run out of connections after a few hours. ThePeavstenator fucked around with this message at 23:42 on Apr 30, 2019 |
# ? Apr 30, 2019 23:39 |
|
ThePeavstenator posted:I just had a pull request accepted to tinkerpop gremlin, it's my first open sores contribution. i once signed some contributor agreement, logged into their system to setup a PR that moved one line of code into an existing try block, which then was looked over by multiple people, was assigned various emojis, and finally accepted. CRIP EATIN BREAD fucked around with this message at 00:09 on May 1, 2019 |
# ? May 1, 2019 00:07 |
|
in retrospect i wish i had done GET /flask rather than just GET /
|
# ? May 1, 2019 03:07 |
|
I'm trying to run a C++ app with ASIO/Beast in AWS against ELB with HTTPS health checks. It looks like the checks consistently timeout. On one side you can have an SSL session cache but it rapidly grows up to cache 20,000 sessions by default which is more than the container has memory for, and on the other I find that the majority of OpenSSL ciphers are actually disabled because ASIO is fantastic and cannot set the necessary ECC parameters. The SSL elliptical ciphers would run faster and thus no longer hit the timeouts, allegedly. There is an app written in Go that is managing to survive by supporting the elliptical cipher set without TLS tickets or session caching, via Google's BoringSSL. Going to try OpenSSL's TLS ticket support which apparently moves the session cache to the client (AWS load balancer). I have no idea if any of this works and clearly Amazon documents anything useful like a raging rear end monkey.
|
# ? May 1, 2019 03:11 |
|
florida lan posted:https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS Maybe I'm dumb and stupid, but I loving hate CORS so much. As far as I can tell, it is only good for awful legacy apps that accepted requests like `GET /delete-everything`. But, GOD FORBID anyone like me wants to implement a `DELETE` route or use a non-standard header, because now I need to manually whitelist poo poo and endure a preflight `OPTIONS` request before anything can happen. Browsers should have just let the lovely enterprise web apps implode.
|
# ? May 1, 2019 05:20 |
|
Certain attacks were always possible through malicious IMG tags or post forms or combining the above with URLs that cause http to happen on non http ports. New stuff that adds additional potential attack vectors beyond what already existed has to prove remote consent first. This happens through same origin policy or cors for, well, cross origin requests, or the websocket handshake to prevent arbitrary JavaScript from generating arbitrary TCP traffic to arbitrary hosts. Why does a websocket handshake begin with something that looks like an http get? Because a malicious IMG tag could already generate those against arbitrary ports on arbitrary hosts long before even JavaScript was a thing.
|
# ? May 1, 2019 05:29 |
|
Sapozhnik posted:Certain attacks were always possible through malicious IMG tags or post forms or combining the above with URLs that cause http to happen on non http ports. Even though I like to stay up-to-date with it, maybe I'm behind the times on web exploits. Like, I don't know any way to use an IMG embed to exploit something that's not a `GET` request. And for off-site form/img things, I assume you'd need to have already compromised the target host if you want to access the auth/session tokens for performing requests that result in changes being made.
|
# ? May 1, 2019 05:54 |
|
pseudorandom posted:And for off-site form/img things, I assume you'd need to have already compromised the target host if you want to access the auth/session tokens for performing requests that result in changes being made. You do realise that the person who wrote a website might not be the same as the person accessing it through a web browser, right?
|
# ? May 1, 2019 06:03 |
|
Jabor posted:You do realise that the person who wrote a website might not be the same as the person accessing it through a web browser, right? Yes? By "compromised" I was mostly referring to XSS and a malicious party gaining access to cookies/localStorage.
|
# ? May 1, 2019 06:09 |
|
pseudorandom posted:Yes? By "compromised" I was mostly referring to XSS and a malicious party gaining access to cookies/localStorage. If you're on the website forums.somethingawful.com, and your browser sees an <img> tag that points to sitewhereyouareanadmin.com/delete_everything, what cookies are going to be used for the request?
|
# ? May 1, 2019 06:13 |
|
augh latex expansion bullshit
|
# ? May 1, 2019 06:26 |
|
cors is a garbage implementation of a good idea
|
# ? May 1, 2019 07:09 |
|
Chalks posted:[something in webdev] is a garbage implementation of a good idea
|
# ? May 1, 2019 07:09 |
|
Sagacity posted:
|
# ? May 1, 2019 07:28 |
|
would your web pages work in NCSA Mosaic on a VAXstation running VMS, if it supported modern SSL and PNG images? if not then you’re doing the web wrong
|
# ? May 1, 2019 08:30 |
|
pokeyman posted:I set up a simple pipelines thing a few months back and it took me about as long as it usually takes me to go from nothing to sorta working. I think there was some essential information in various forum posts and such, I don’t remember the documentation itself being super useful yeah, i guess is need to set up a locak docker environment to explore the container and test the thing. which i didn't really even think about before rubberducking the thread
|
# ? May 1, 2019 09:13 |
|
Wheany posted:yeah, i guess is need to set up a locak docker environment to explore the container and test the thing. which i didn't really even think about before rubberducking the thread here is what i think i want to do: i want to build a java 8 spring boot project using maven i want to copy the resulting jar over scp onto our [dev, staging, production] server into the correct directory. how do i docker this?
|
# ? May 1, 2019 13:22 |
|
just use maven for everything
|
# ? May 1, 2019 13:31 |
|
Wheany posted:here is what i think i want to do: Docker image contains the instructiobs to build from maven etc. Push image to a container registry, we use gcp then most basic option is to SSH into server and docker run. More advanced options are docker swarm and kubernetes
|
# ? May 1, 2019 13:39 |
|
Shaggar posted:just use maven for everything
|
# ? May 1, 2019 13:45 |
|
how can i add auth to a thing that already exists and is written by someone not-at-this-company? i basically want to MITM an internal website that we're serving to add auth on top of it and i have no idea how to do this at all i guess i could just fork the original and add auth to the actual site but i really dont want to do webdev if i can help it
|
# ? May 1, 2019 15:27 |
|
Is there zero auth on the site, as in, anyone who views the page is the same as every other person? Because if you just want to authenticate users against some directory, you can use nginx nginx as a proxy with the auth request module, https://nginx.org/en/docs/http/ngx_http_auth_request_module.html which allows you to set up a small REST endpoint that nginx will pass requests to and let you do it that way. basically you will just set up some small server that is essentially: code:
CRIP EATIN BREAD fucked around with this message at 15:37 on May 1, 2019 |
# ? May 1, 2019 15:34 |
|
Corla Plankun posted:how can i add auth to a thing that already exists and is written by someone not-at-this-company? in barbossa voice: "you better start believing in webdev projects then corla plankun, you're in one!"
|
# ? May 1, 2019 15:36 |
|
also in case anyone cares (i know you don't) the very helpful "cannot GET /" error i was getting was from angular silently failing to compile
|
# ? May 1, 2019 15:38 |
|
HoboMan posted:angular found your problem
|
# ? May 1, 2019 15:48 |
|
CRIP EATIN BREAD posted:found your problem If you've managed to make your Angular compile fail silently you're problem starts before you get to the Angular part.
|
# ? May 1, 2019 15:49 |
|
found your problem
|
# ? May 1, 2019 15:52 |
|
Corla Plankun posted:how can i add auth to a thing that already exists and is written by someone not-at-this-company? set the authentication mode from anonymous to windows Auth.
|
# ? May 1, 2019 15:56 |
|
Aramoro posted:If you've managed to make your Angular compile fail silently you're problem starts before you get to the Angular part. i don't know man, just got whatever set up vs 2017 gives you by default when you select "new angular project"
|
# ? May 1, 2019 16:26 |
|
CRIP EATIN BREAD posted:Is there zero auth on the site, as in, anyone who views the page is the same as every other person? Because if you just want to authenticate users against some directory, you can use nginx nginx as a proxy with the auth request module, https://nginx.org/en/docs/http/ngx_http_auth_request_module.html which allows you to set up a small REST endpoint that nginx will pass requests to and let you do it that way. yeah its the same for everyone, this seems like the right thing to do except its in k8s so i dont know how to tell nginx to do the thing. maybe i should know or maybe this is a devop thing to do
|
# ? May 1, 2019 16:29 |
|
is your nginx config created by an ingress controller? if so then you can just add some annotations to the ingress resource for your unsecured web application.
|
# ? May 1, 2019 16:43 |
|
Aramoro posted:If you've managed to make your Angular compile fail silently you're problem starts before you get to the Angular part. yeah you decided to use a javascript framework
|
# ? May 1, 2019 17:38 |
|
Shaggar posted:yeah you decided to use a javascript
|
# ? May 1, 2019 18:03 |
|
i'm going to make the worlds first anti-capitalist terminal emulator and call it griTTY
|
# ? May 1, 2019 18:13 |
|
DONT THREAD ON ME posted:i'm going to make the worlds first anti-capitalist terminal emulator and call it griTTY "anti-capitalist", and yet fully 50% of the name is capitals
|
# ? May 1, 2019 18:22 |
|
|
# ? Jan 18, 2025 18:23 |
|
nginx: i imagine it's supposed to be said like n-gin-x (engine x) but i can't help but read it as n-ginx (en jinx)
|
# ? May 2, 2019 05:26 |