StackOverflow2013

Note that there are some explanatory texts on larger screens.

plurals

PO
primarykey
Id
20767555
data
AcceptedAnswerId
0
AnswerCount
0
ClosedDate
CommentCount
0
CommunityOwnedDate
CreationDate
2013-12-24T22:53:44.293
FavoriteCount
0
LastActivityDate
2013-12-24T22:53:44.293
LastEditDate
2017-05-23T12:22:53.150
LastEditorUserId
-1
OwnerUserId
20394
ParentId
20757583
PostTypeId
2
Score
2
ViewCount
0
LastEditorDisplayName
text
Body
Tyler Close and others who did the security architecture for Waterken did the relevent research form this. They use unguessable strings in URI fragments as <a href="http://waterken.sourceforge.net/web-key/" rel="nofollow noreferrer">web-keys</a>: <blockquote> This leakage of a permission bearing URL via the <code>Referer</code> header is only a problem in practice if the target host of a hyperlink is different from the source host, and so potentially malicious. RFC 2616 foresaw the danger of such leakage of information and so provided security guidance in section 15.1.3: <blockquote> "Because the source of a link might be private information or might reveal an otherwise private information source, … Clients SHOULD NOT include a <code>Referer</code> header field in a (non-secure) HTTP request if the referring page was transferred with a secure protocol." </blockquote> Unfortunately, clients have implemented this guidance to the letter, meaning the <code>Referer</code> header is sent if both the referring page and the destination page use HTTPS, but are served by different hosts. This enthusiastic use of the Referer header would present a significant barrier to implementation of the web-key concept were it not for one unrelated, but rather fortunate, requirement placed on use of the <code>Referer</code> header. Section 14.36 of RFC 2616, which governs use of the <code>Referer</code> header, states that: "The URI MUST NOT include a fragment." Testing of deployed web browsers has shown this requirement is commonly implemented. Putting the unguessable permission key in the fragment segment produces an https URL that looks like: <code><https://www.example.com/app/#mhbqcmmva5ja3></code>. <h1>Fetching a representation</h1> Placing the key in the URL fragment component prevents leakage via the <code>Referer</code> header but also complicates the dereference operation, since the fragment is also not sent in the <code>Request-URI</code> of an HTTP request. This complication is overcome using the two cornerstones of Web 2.0: JavaScript and XMLHttpRequest. </blockquote> <hr> So, yes, you can use fragment identifiers to hold secrets, though those secrets could be stolen and exfiltrated if your application is susceptible to XSS, and there is no equivalent of http-only cookies for fragment identifiers. I believe Waterken mitigates this by removing the secret from the fragment before it runs any application code in the same way many sensitive daemons <a href="https://stackoverflow.com/a/6607843/20394">zero-out their <code>argv</code></a>.
Tags
Title
singulars
PostAcceptedAnswerId
1. This table or related slice is empty.
PostParentId
1. POHow secure is it to use fragment identifiers to hold private data in URLs?
 singulars
 PostTypePostTypeId
 PTQuestion
PostTypePostTypeId
1. PTAnswer
UserLastEditorUserId
1. USCommunity
UserOwnerUserId
1. USMike Samuel
plurals
PostLinksPostIdRelatedPostId
1. This table or related slice is empty.
PostLinksRelatedPostIdPostId
1. This table or related slice is empty.
PostsAcceptedAnswerId
1. POHow secure is it to use fragment identifiers to hold private data in URLs?
 singulars
 PostTypePostTypeId
 PTQuestion
PostsParentIdCreationDate
1. This table or related slice is empty.
VotesPostIdCreationDate
1. VO
 singulars
 PostPostId
 PO
 UserUserId
 This table or related slice is empty.
 VoteTypeVoteTypeId
 VTUpMod
2. VO
 singulars
 PostPostId
 PO
 UserUserId
 This table or related slice is empty.
 VoteTypeVoteTypeId
 VTAcceptedByOriginator
3. VO
 singulars
 PostPostId
 PO
 UserUserId
 This table or related slice is empty.
 VoteTypeVoteTypeId
 VTUpMod
CommentsPostId
1. This table or related slice is empty.

Querying!

Guidance

A row detail

Detail views are divided into sections. All the information in the data section comes from columns in the selected row. The other sections display data from other, related rows.

Related data can be related in a to-one or a to-many fashion. Captions of data related in a to-many fashion link to a list view showing a filtered view of the table.

Try moving around until you find a non-empty to-many entry and click on the label to get to one. You can move back to the root by clicking on the database name in the header.