Sign Hawaii Terms of Use Agreement Secure

Document type sign terms of use agreement hawaii secure

let's talk about cookies tokens api's let's talk about what that means so essentially this stock is inspired by something that I often encounter when I talk to developers so many developers are building modern web applications and they should we're building react angular and angular stuff view or whatever backed by an API and it's a great way of doing things and it's an interesting way of doing things but it also changes a lot of things one of the things that people struggle with is how do i do session management which may even sound very strange in the context of an api like sessions that's probably not right but it's there's no good word for it and there's no good definition for it and this is something that I actually see and the talk is gonna focus on these struggles developers see them and I don't have an answer for developers I have a set of options and each option has their pros and cons and I'm gonna lay them out for you and there's a lot more that plays a role than you might think because the web is a very complex and a very place full of subtleties so I'm gonna talk about that for the next 30 minutes to make sure that we're absolutely onboard of what we're talking about this is the old way of doing things this is what you did before when you had a web application a browser running running here we're cementing a browser running here making a request to authenticate to a back-end and you get a cookie in return very traditional the old way of doing things whenever you make a call the browser is gonna send that cookie along the back end makes an authorization decision and decides whether it's good to go or not the modern way of doing things look something like this we still use browsers in most cases even mobile applications usually have a browser under the hood but that aside so we still make the call to authenticate but instead of a cookie we get a token and that token magically appears on the request somehow the back end makes authorization decisions and off it goes from this picture which is totally marketing on PowerPoint by the way but nonetheless this is not a real architecture but the differences are not really there if you split out a bit you can you derive that in the old way of doing things we had a server-side session object so we keep something on the server we refer to that server-side session object with an ID that ID we put in a cookie which is stored in a cookie jar modern applications often use some client site ident a session object so in a typical setup as something you have very often encounter this would be a JSON web token stored in something like local storage and sent in the authorization header with the bearer type this is the setup the difference between these are subtle this is not the only setup this is the two most common things like the old ways nobody likes in a new day which a lot of developers like and I'm going to talk about what this means in practice in a second first a small word about myself Jim did a stellar job introducing me I'm from Belgium I did a PhD in web security and I have a I'd like to think that I have a very broad and very deep understanding of how the things hook together and what influences what and I can tell you that's a very difficult thing to achieve and that's what I try to explain to developers and the Google developer expert which is a recognition by Google and not employment by Google so I'm very thankful for that it's for the work I do for the community teaching talking stuff like that and of course the second of course in Belgium euros right there I highly recommend you to check it out we have great food at the course as well and the course itself is very interesting since about since about a year I left the University where our did work for a couple of years after my PhD and I started my own company called pragmatic web security and with that company the main thing I do is developer training so I travel the world I go wherever your developers are and I teach them about how to build secure software and I don't teach textbook examples like thesis cross-site scripting and that's the fix I help them to understand the problem because in my opinion the most important thing you can teach the developer is to recognize the problem even in different contexts so if it doesn't look like the textbook example if you still know like whoa this is a problem because it looks like that that is when you start achieving real results alright enough about me let's talk about api's and cookies and tokens and so on answer so one of the first things I want to point out is that your deployment scenario really matter so if you have an application you have a couple of clients you have a few back-end services honestly if you're building something that looks like this on your architecture diagram you probably get away with a stateful back-end which is maybe a very unpopular opinion but I think countered plenty of developers that have shifted to angular and started doing some stateless backends and afterwards after a couple of months a year two years they're like why did we do that we only have a few hundred users and we actually knew how to handle sticky sessions or session replication and this works quite well so for most of you this probably doesn't hold but for many people for many internal systems this actually does work so if you have a developer that has been doing something for 20 years and knows how to do it well keep doing it it actually works really well with other systems as well however if you're doing something like this then you probably might benefit from kind of a stateless back-end it's probably gonna be a rest back-end and so on so we don't need to debate this I just wanted to point out that the old way of doing things keeping state on the server is not necessarily a bad thing brings me to the first takeaway I have a couple of takeaways throughout the presentation don't overthink statelessness yes statelessness might be important and yes there are different degrees and I don't advocate to have like a request that changes its results arbitrarily based on some state on a server but keeping track of authorization state in a server side session object there's nothing wrong with that yes it's not a pure REST API but the company's called pragmatic web security because I don't talk about the purity arguments I talk about practical things and this actually does work in practice all right back to back to the old way and a new way so the old way cookie header identifiers you have some random session ID in there pointing to a server-side session object the new way of doing things is you have the authorization header and you have some kind of a token in there this is often this this slide represents kind of a frustration for me a pet peeve people often talk about cookies versus tokens which is they mean this versus this they mean keeping track of State on the server versus keeping track of it somewhat on the client and using the authorization header to handle that this comparison makes no sense and I know people that know that it actually doesn't really make sense and they keep calling it cookies versus tokens which creates more confusion than you might think because why not put a token in a cookie or put an identifier in the authorization header that gives us two more options which is pretty awesome and this is the the real problem that many people struggle with cookies and tokens are two different things cookies are a storage mechanism in a browser and a transport mechanism on HTTP and the authorization header is also a transport mechanism and what you put in there is something completely different whether you put an identifier or a token or whatever in there that's a different question and actually that's the least challenging part of some of these things so to make I saw some people laugh when I present at the other options because they look silly right if I present you like hey let's put a session ID in a bear it's like no man nobody does that however if you're using something like oh I'd you probably are doing that you maybe don't realize it that you're doing that but that's essentially what's happening let me give you a very quick overview of what this is a high I don't know if Daniel fat is in the room this is not an accurate representation of what he did a much better job doing that I just need a few architectural components to show you one example so what you want to do with a lot is the user wants to access a resource here - a client application so there's something going on the client is going to do some complicated redirect flow with the browser of the user and this might be an application in the browser this is just a vanilla page in the browser so there's gonna be some redirect flow and eventually the user is gonna authenticate to the authorization server one way or another and approve the application to access this resource on the behalf of the user very proud of when that happens you get an authorization code we saw that a couple of days ago the authorization code gets propagated to the client and the client uses that to request an access token from the authorization server and this access token the word says itself token this is what the client is going to use to access the protected resource one way or another this access token represents Authority the resource server is going to use that to make an authorization decision the resource server is going to look at that token like who the hell are you oh yeah I know who you are yeah you're allowed to access this resource go ahead and that's what's happening there there's two ways of doing that and watch this if it looks like this then the access token is a self-contained token and in all our terms today that means it's a job that some web token sign by the authorization server containing a set of claims about who's making this access this is the traditional or this is what what's common understood on under using a token to access a resource but all out has a second mechanism a lot supports something called reference tokens and a reference token this token is a random string it means nothing to the resource server the resource server instead has to go here with that token and ask like hey man I got this from the client what the hell is this and the authorization server is like oh yeah I know this reference token I generated that before it actually represents the data that we have here so it represents it's still active it represents a client and you can use that to make your authorization decision an authorization decision happens one step later before the response is returned and this is a very good illustration of why this whole discussion between cookies and tokens doesn't make sense you have to distinguish between a mechanism and the value that's important and the value can either be the value represents how you're handling this is it can refer to some server-side state regardless of where it's kept or it can be a self-contained token such as a JSON web token containing a set of claims but how you transport that and how you store that is completely separate from what it actually represents and in the rest of this talk I'm not going to talk about what it represents not about a value but about the mechanisms but how you store values in the browser the implications of that and how you transport them back to the server all right one of the first things we need to talk about is one of the major differences between cookies and the authorization header so this is how stuff gets transported back we have two scenarios keep in mind this is not the slide about statefulness and statelessness this is just clients sending something to the backend with cookies or with an authorization header cookies are handled by the browser the browser does that for you which is kind of nice in certain cases so one of the implications of that is because the browser handles them the browser decides when to send the cookie and cookies are associated with domains so if you want to use cookies there or if you are using cookies there it only works well if you have your API or your back-end since running an on one domain so domain white cookies are no longer recommended and cookies sharing cookies across domains is not a feature that's supported in browsers you can make it work but it's very dirty and very hacky so it's probably not the way to go if you're using the authorization header you have flexibility you have more options so the authorization header is added by your applications so your angular application will have a piece of code to add the authorization header to an outgoing request and I'll come to that in a second and because of that you are flexible you can do whatever you want so if you want to send it to different domains why not you decide which is pretty awesome so that's one of the the consequences here your deployment scenario of whether you're deploying stuff in one domain or on different domains is going to heavily influence the decision that you're gonna make on how to transport this information if you're using multiple domains cookies are probably not a good option and you'll have to deal with the subtleties of the authorization header of course if you really strongly feel about one way or the other that might again influence your deployment as well so these things definitely matter alright our transition enter let's let's talk about that in a bit more detail like I said your angular or your front-end application your browser-based application will have to handle whatever you're sending the ID or token reference token self-contained token whatever you're sending the browser will the application will have to handle that so you need go to do that one of the aspects of handling that means storing it somewhere so they actually have it when you need to send it and a common place to put that is local storage look at a hundred tutorials 99 or 100 are gonna say put in a local storage what does this mean well local storage is an area in the browser that is isolated per origin so if you have an Origin HTTP example.com and port 443 that's an origin that's represented by the orange one here code running in the orange context has the or orange origin and will be able to access this local search area if you have a separate browser window same browser of course page from the same origin has access to the same local storage area if it's another origin the blue one it will not have access to that storage area it will have access to its own area with its own origin but not the one from the orange origin however if you load frames in here for example again this complex has the orange origin it will be able to access that local storage area there's a little brother to local search called session storage a session storage is a bit more restrictive so in session storage scenarios you still have the origin based separation but there's a second thing that matters and that's the window and it's children so essentially this one the orange one has access to this session storage area if it opens a pop-up that for example opens in a new tab that one will have access to the same session storage area however if the user opens a completely unrelated browser window navigates to the site again that side even though it has the orange origin is not related to this settle window so it will not have access to session storage there it will have access to its own session storage area associated with this window and its children this is one of the common ways of setting things up when storing values I'm gonna give a more detailed comparison in a couple of slides there's one problem with this image that many people recognize like yeah this is all fine and it will work but what if something goes wrong what if the attacker gets a foothold in one of these pages this is cross-site scripting if the attacker gets a foothold he'll be able to read my local storage get my whatever talk and ship it off somewhere else and abuse that for all kinds of nefarious purposes and that's a very true observation so how do you handle that well don't have cross-site scripting that's step number one but I think we saw yesterday I believe are two days ago that that's really really really hard so some people are sugg sting yeah but what if we use cookies for that because this course our scripting that's a big problem so what if we had something that we could use to identify a requester without risking cross-site scripting and that something is called HTTP only cookies and they're not very secure [Applause] because it's the only cookies address one specific consequence of a cross-site scripting attack they hide a value in a cookie from JavaScript they tell the browser this cookie should never ever be seen by JavaScript wait wait a second to take a picture because there's gonna be a second line at the bottom that actually matters but that's HTTP only cookies and yes you can hide them but the real problem is you still have a cross-site scripting vulnerability and the attacker can inject whatever script you once and yes may be a very simple script kiddie like attacker will not be able to extract that value but a real attacker will be able to send whatever he wants to the back-end change the Dom change the behavior of the application trick the user whatever you want with that set it's P only is still useful it matters it has very tiny benefits yes Jim it does in the in the PDF of the slides there's by the way an extra slide explaining this in a bit more detail but it's not useful in the Nexus S context that's what I want to say about it yes it's P only works well if you want to details it works if you have domain-based cookies it works against certain attacks that's one thing that can help serve the name-based session hijacking for example and it helps against specter and meltdown attacks where they steal stuff from memory through some God knows how these things work with there's some complicated attacks and it's the only works there if your browser supports it so chrome for example and if a cookies Marcus it's fueled will not put it into the rendering process so it's not available in memory in the rendering process only in the networking process and because of that it's somewhat more protected so it helps but not in the context of cross-site scripting or stealing stuff from a browsing context again the PDF of the slides is on Twitter and you're gonna put it on scat as well and there is a slight detailing this in a bit more words so if you want to compare these things we have four potential storage areas local storage session storage you can keep it in memory if you want and you can put it in a cookie so what does this mean in detail well first of all all of them survive page reloads except in memory so in memory is probably I'm gonna come to that in a second in the next points but it's probably the most secure way of doing things because you can fully hide things you can guarantee some security properties there but if the user hits f5 or command R or whatever it's gone so it's probably not very usable in practice local storage is available to the entire origin session storage origin and window and its children in memory is wherever you want it you can fully you get it's only available to running code and cookies if you mark them as HP only only on outgoing requests this means that local storage can not be shielded from malicious code there's simply no way to do that if you have access to the script or scripting context if you can run script code you can read local storage session storage is a bit trickier because you need to run the code in the actual window and it's or one of its children so it's a bit more constrained in memory can be shielded it's very tricky to do that in JavaScript but if you really want to you could do that and cookies can be shielded as well but none of those prevent abuse in the presence of cross-site scripting and that's why none of this actually matters if you have cross-site scripting and the discussion of yeah should I put it here or there because if an attacker can do crud an XSS attack he might be able to read that honestly it doesn't matter don't underestimate cross-site scripting you are screwed if somebody has a foothold in your application this is important because sometimes you see security guidelines saying don't put something in local storage but if it works best if it saves you time on development and the only argument is yeah but cross-site scripting can read it I don't think it's valid arguments all right so we have all of these options for storage and it also impacts transport let's talk about cookies for a second who here likes cookies Wow three people I mean the HTTP version not a chocolate chip not too many people why not well I'm gonna show you why this is the traditional very old-school set-cookie header named fell you how hard can it be right you set it in browser and browser handles beautiful well no because you also need a secure flag to tell the browser by the way this coefficient only send our HTTP which I'm using of course so don't send it over HTTP and then you need a HTTP only flag like yeah I don't need this in JavaScript please hide it and then you need a prefix because hey turns out that this is not strict enough in browser handling so you need to tell the browser by the way when I say secure I actually mean secure so don't do some crazy browser quirks but actually handle this securely so you can add a prefix Cal underscore underscore secure dash to the name of the cookie and if any non-microsoft browser sees this they will handle this very strictly they will only accept it over HTTP and they will mandate that the secure flag is there and then you can choose like hey maybe I should replace this here prefix with the host prefix which tells the browser like by the way this cookie should only be sent back to the holster has said it so it eliminates domain white cookies so all of these are why nobody here likes cookies it's it's a mess let's be honest it's it's really messy and adding stuff to the name of the cookie to make it work it's it's not pretty there's there's the reason that they did that we can talk about that offline it's not pretty but I'm honestly if you configure a cookie like the two last ones depending on your needs it's actually not too bad but this requires effort to configure and if you're using a framework maybe they don't support this I don't know many frameworks that many firms that don't allow you to configure the name of their cookie that they're using which is potentially a problem so this is why everybody hates cookies so all hail the authorization header much better because you have control you can do whatever you want and let's be honest we all know better right as developers we know better than browser implementers in we can write better code so in angular this is how you do it this is angular ts1 this is angular 4 plus very easy very straightforward taken life are directly from tutorials on the internet like a few meaningful lines of code and you're done this code will get in this case your token from local storage and add this to an outgoing request in the authorization header same thing here it's a bit more structured and there's an authorization servers involved but essentially under the hood it does the same thing easy enough no cookies no mess no Flags no whatever well this is what you see in applications I've seen plenty of angular applications using code like this and this works if you contact your API because the authorization header will be there and the value from local storage will be there or session storage or whatever you want to keep it but it works too good because if you come back the third party API this thing doesn't care it's like oh I see an outdoor request BAM authorization header and off it goes so if you're fetching something from a third party from an untrusted party some static public data whatever this code is gonna attach an authorization header to every outgoing request oops that's not probably not what you want and this is actually quite common so what you need to do is if you implement it like this you need to have a list of approved origins or domains and you should send it only there and some libraries have support for that so this is angular that angular chat library from out zero they have a property called whitelist domains where they have allow you or require you to specify where your authorization header should be sent to but if you're writing this code yourself you'll have to implement that yourself and implementing that yourself means you are all matching and if you know about web development URL matching is one of the dirtiest pieces of code you can write and one of the trickiest ones to get right it's actually not that easy so the takeaway here is there's no free lunch whether you go with cookies or the authorization header you're gonna have to spend a lot of efforts on making sure that this is done in a secure way whether it's adding flags and prefixes or ensuring that your code has the necessary restrictions in place you need to do that and that's just the reality all right so so far I don't know whether it's a tire I didn't keep score whether it's tire not earn but let's talk about some of the subtleties of the web let's say you're like you know screw cookies I'm doing angular I'm gonna be very progressive and I'm gonna use the authorization header it makes sense in our scenario so you start doing that I've seen that with a customer they started doing that and then they said like hey we're gonna load some additional resources like images or script files and they load that very simply you add an image tag or a script to that to the dumb and the browser is gonna send out a request to load debt you know what's not there when the browser sins that request the authorization header they needed to do authorization checks on loading images and script files and they had no authorization information because the browser simply doesn't send it because your application handles the authorization header and your code cannot control how this request is sent well that's a lie but I'm gonna come to that in two seconds however if you're using cookies the browser sends them because cookies are controlled by the browser and the browser will actually see hey this is a request to a domain for which I have a cookie I'm going to send that cookie the reason I said this is a lie is because today and some browsers you can use a serviceworker to intercept these requests and add a header on the fly but it's dirty and I strongly don't recommend doing that and it's not only images and scripts it's exede chart if you make an xhr request across origins you can say with credentials true this property is about cookies if you set it to true the browser if it has a cookie will send that cookie on this cross-origin request and will ensure that the server expects it and so on and so on but that's course authorization header but there it's not there so if your application across origins would have to add that it would have needed well would need to get that from the application somehow making it a lot more complicated there's a third one if you open a WebSocket connection you do WebSocket new WebSocket boom off you go you know what's not there the authorization header but cookies our browser knows it I have a cookie for this domain I'm gonna send that cookie along with this request and believe me if you're opening WebSocket connections you probably want to do some authorization there some people have tried to do karate authorization it didn't end well so these are some examples of why cookies are actually always there cookies are handled by the browser and because of that they are sent on every request to that domain originating from the browser unless you configure the browser not to do that or something this is something to realize that the authorization header is not always there so if you're depending on these use cases if you're depending on the authorization there instead of building a complementary authorization mechanism next to the authorization header may be cookies are a better choice seriously thank you I think you're a bit too soon though because if cookies are always there we have to deal with Caesar that's again the downside it's easy to fix well reality with disagree I think but sequel injection is also easy to fix and look where we are today but yeah see search makes most people sad but maybe in an API world it's not so bad but it depends so I learned over the past few days as you guys all know what see service I'm not gonna explain see serve I'm going to talk about some solutions maybe the first text slide who knows if you have an API that's only accessible with xhr see server is not that bad of a problem but you need to Mitch make sure that it falls under the restrictions of course and course essentially governs how cross-origin requests can be sent from the browser so if you have an xhr request that uses something that can never originate from HTML HTML element such as a content type for application slash Jason nothing can send that except JavaScript and we sent JavaScript across origins from the attackers origin to the back end that you're trying to attack the origin header will be there and your course policy will decide whether this is allowed or not so if you have such an API you essentially only need to make sure well only is easy to say you need to make sure you have a strict course policy in place and then you're good to go see surf will be handled by that course policy however if for some reason you have a strange API which do exist that accepts HTML generated content types form encoded data or something like that you're in trouble because you will need to handle C surf if you're using cookies if you're not using cookies the whole problem goes away [Music] double cookie submit should be enough I have no idea what tripple cookie submit is well we can talk about that later so double double submit cookies are kind of a pattern to eliminate sea surf in in a transparent way in a sense that the server doesn't have to keep track of sea surf talk ins you push it to the client in a cookie so what really happens is the client application let's let's call it an angular app will read that cookie and copy the secret value into a header and only your application can do it because only your application runs in your domain otherwise again you're screwed and Caesar doesn't matter but only your application runs there can read that cookie can attach it there so if it's present it's legit if it's not present probably comes from somewhere else and you don't want to accept that can implies that this only works within your own domain that angular actually supports this pattern out of the box if you send it a cookie called xsrf token with the dash in between angular will automatically copy that into a header on every requested sense which is pretty cool however if you have such an API you should be aware that it's very hard to secure these things it's very tricky to get this right because there's ways that cross-origin requests can be forged so in a cross-origin setting this is never gonna work in a secure way the only thing you can do there is to have a strict course based API and force content types check have a strict course policy area good to go here's one example of how you can forge cross-origin requests with custom headers it's Adobe PDF of course I have to thank God of its for pointing me to this specific attack factor so essentially what you have here is you have a PDF document and then the PDF document you can specify some values and it's a text encoding with some strange characters and then test tests and this will trigger an HTTP request to the backend and that HP request looks like this opposed to an test endpoint that's the one here I don't know where the test is but supposed with the content type the car set is the one from here and then the test header ends up here so with this technique you could inject any arbitrary origin you want that's why API need to enforce content types because the content type will say it's coming from an Adobe or it's expecting some Adobe crap I don't know anything about that with PDF so no idea there but it actually tells what's happening but if your API doesn't enforce this you might be vulnerable here again so see serve is kind of tricky so cookies are always there which is in this case a downside because it enables C service it re uires us to think about C surf and to configure a strict course policy and test that strictness test that your API doesn't accept arbitrary content types test that it sends the proper course headers on the response and so on and so on all right like I said it's it's not a simple problem cookies versus authorization header or whatever so you might want to get rid of cookies altogether so let's go back to our authorization header this actually looks really nice no cookies no flags attribute C sir whatever man we just we're gonna fit this piece of angular code and record so we have our access token here but where does it come from it comes from the authorization server we have this authenticate step here so the authorization server knows who the user is but if you have an enterprise setup of what you have as as oh you have single sign-on so the the authorization server when you go there again and again and again it knows like yeah I know who you are it's good you can access your application and how does it know that well it knows that because it uses cookies here this is a redirect request from the browser to the authorization server redirects you have no control over that you cannot add additional headers there's no authorization header there an authorization server usually uses a cookie to keep track of a session so even though you don't have cookies in your application you're still depending on cookies and even in a setup where you have a mobile application if your client is a mobile application using all arts it uses the browser on a mobile device to de run the OAuth flow and a browser on a mobile device uses cookies to keep track of authorization state with the authorization server so this is kind of the last take away cookies are inherent to the web there's honestly no way around them well there is but it's gonna take you a massive amount of effort to and honestly it's not necessary to do that just be aware that they're there and they're the only thing that's supported by all web technologies course is not an old thing from fifty years ago it's a fairly recent API and it supports cookies because that's the way these things actually do work all the new directives for for doing cross-origin requests and loading all depend on using cookies so be aware of that the downside is we need to secure our cookies here's some data from Google telemetry this is I'm gonna say what it is it's depressing this is not good so today if you look at HTTP data we have 70% of page loads happening over HTTPS meaning that all of the cookies on those requests should be marked as secure and we're barely at 10% that is depressing this is not good prefixes have been available for about two years we're in the triple digits here behind the comma this is this is we're gonna come to this is actually not a very good place to be in and because of that there's a proposal from my quest from Google working on Chrome to get rid of cookies like hey maybe it's time we've tried to make it work and honestly we can put out whatever we want nobody is using that and it's really hard to convince people to use that so what if we could have a mechanism that we don't need to patch over and over and over again what if we can make something that has decent properties by default that people can actually use without having to worry about something that breaks that we can offer new applications a way to get things done in a better way and that's what the HTTP state tokens draft spec is about I'm not gonna go into detail here if you're interested to read it it's a draft it's just released like at the beginning of the month and they're actively looking for feedback they're actively looking for will this work for you how can we improve this so I highly recommend you take a look and chime in if you have something useful to say so let me wrap this up in three points first cookies are part of the wrapper do you like it or not they are there and whether your application uses them or not other applications will so if you're running your own authorization server log down your cookies I don't know about all commercial products but I hope they have controls that allow you to do that and if they don't harass your vendor until they actually add support for these features the keep in mind cookies are not mutually exclusive with eight api's which I have heard some people proclaim like API should can never use cookies well honestly if it's a web-based API they can alternative is the authorization header keep in mind that you can put whatever you want in that authorization header there's no restrictions they give you more flexibility it's easy for you to do whatever you want with the authorization header but you have to write a code and you have to secure the code which is again potentially a downside and I finally look at that proposal for HTTP state tokens that might make your life easier in the future might it actually has some very interesting controls and has some mechanisms where you can allow or require the browser to sign requests and prevent theft of that token altogether on the client which is pretty cool all right final slide I've made some security cheat sheets on angular security and job security so this might be very relevant for you and for the developers in your teams so you can grab them from the websites the slides are on Twitter so you can grab them there as well there's a clickable link so you don't have to type the whole URL but these might be interesting if you have feedback on that reach out I'm very easy to reach here are my contact details so follow me on Twitter I have some interesting security things to say there if you have feedback comments questions send me an email and that's it thank you [Applause] all right so relying on course 4c surf protection seems dangerous is it acceptable to use WP plus course first of all it the question is more elaborate it says it's dangerous because not all browsers support course what time are you living in well yes ok not all browsers Mesa mode process may not support course but if a browser doesn't support course it refuses to send an xhr request across origins because pre course if you send an xhr you can only send it to your own origin and never to a cross origin the browser would simply refuse to send that you can test if you have a Mac you can easily test it you can download Firefox 3 it still runs on your Mac OS which is pretty cool you can send a cross order request and Firefox is like no way no I'm not doing that so if you can send cross-origin xhr course is implemented and of course implement at the origin header is there and then you can rely on that but only if you are sure that a request is coming from course from xhr meaning that it has to be one of the content types that forms cannot support the question is is it acceptable to use double cookie plus course it's kind of a fallacy in a sense that if you are sending course you're sending cross-origin requests and then the origin sending the request will not be able to read the cookie associated with the backend so it's probably not gonna work because there's no access to the cookie but whoever asked that the anonymous guy here or girl you can talk to me afterwards and I can draw it out and we can discuss that in more detail all right thank you and I'm still here for the rest of the day so talk to me if you have any questions [Applause]