阻止密码管理器在XHR请求时要求保存密码。

huangapple go评论71阅读模式
英文:

Prevent password manager from asking to save password on xhr request

问题

我们向外部API发送请求。这是一个公共API,但仍然需要发送基本的身份验证信息。由于这是一个公共用户且没有进一步的访问权限,这不是安全问题。但是,当执行这些请求时,密码管理器会询问是否保存此外部URL的基本身份验证数据。这很烦人,网站上的用户可能会困惑,不知道为什么突然能够为他们不了解的域保存用户名和密码。

我想知道我们是否可以让密码管理器通常忽略这些请求。

到目前为止,我们只注意到LastPass有这种行为(bitwarden和内置的chrome没有显示这种行为)。我想知道这是否是LastPass扩展特有的问题,还是其他管理器也可能出现这种情况。

迄今为止,我的研究没有显示任何结果。

可以在此fiddle中重现,例如:

(function() {
  superagent('GET', 'https://httpbin.org/anything')
    .auth('Username', 'Password')
    .type('application/json')
    .then(res => {
      console.debug('res', res);
    })
    .catch(err => {
      console.debug('err', err)
    });
})();

这是LastPass如何要求保存凭据的方式:
阻止密码管理器在XHR请求时要求保存密码。

根据评论建议,我尝试将URL实现为username:password@example.com,LastPass不再识别这种形式。

通过curl验证了API可以使用此语法,但当我将其实现为如下时:

(function() {
  superagent('GET', 'https://username:password@httpbin.org/anything')
    .auth('Username', 'Password')
    .type('application/json')
    .then(res => {
      console.debug('res', res);
    })
    .catch(err => {
      console.debug('err', err)
    });
})();

API不再接受此形式。

我联系了API的开发者,他说请求中不包含身份验证信息。我想知道浏览器是否以某种方式将其剥离?直接在浏览器中访问URL时它有效,但浏览器是否在幕后将其转换为标头?在Firefox中调用URL会显示身份验证标头,但在Chrome中不会。无论哪种方式,似乎都可以工作。

英文:

We are sending requests to an external API. It is an public API but still requires to sent basic auth authentication. Since it is a public user with no further access this is no security issue. But when those requests are executed the password manager keeps asking to save the basic auth data for this external url. This is annoying and the users on the website might get confused why they suddenly can save a username and password for a domain they do not know.

I would like to know if we can somehow make password managers in general ignore those requests.

So far we only noticed last pass with this behavior (bitwarden and chrome build in do not show this behavior). I am wondering if it is a problem specifically with the last pass extension or if it might be happening with other managers too.

My research so far did not show any results.

It can be reproduced in this fiddle with the an request like this:

(function() {
  superagent('GET', 'https://httpbin.org/anything')
    .auth('Username', 'Password')
    .type('application/json')
    .then(res => {
      console.debug('res', res);
    })
    .catch(err => {
      console.debug('err', err)
    });
})();

This is how last pass asks to save the credentials:
阻止密码管理器在XHR请求时要求保存密码。

As per comment suggested I tried to implement the url as username:password@example.com and LastPass does not recognize this anymore.

I verified via curl that the API works with this syntax but when I implemented it into like this:

(function() {
  superagent('GET', 'https://username:password@httpbin.org/anything')
    .auth('Username', 'Password')
    .type('application/json')
    .then(res => {
      console.debug('res', res);
    })
    .catch(err => {
      console.debug('err', err)
    });
})();

the API does not accept this anymore.

I contacted the developer of the API and he said the request did not contain the authentication information. I wonder if the browser somehow stripped it out? When accessing the URL directly in the browser it works, but is the browser converting it behind the scenes into a header?
Calling the URL in Firefox shows an authentication header but in chrome it does not. Either way both seem to work.

答案1

得分: 1

我们现在已经找到了解决这个问题的方法。我们正在使用代理来设置身份验证标头并将请求传递给API。

我从原始代码中删除了身份验证并将URL更改为代理路径:

(function() {
  superagent('GET', 'https://example.com/proxy-path')
    .type('application/json')
    .then(res => {
      console.debug('res', res);
    })
    .catch(err => {
      console.debug('err', err)
    });
})();

然后在Apache中,我们配置了代理以在未设置时添加标头:

SSLProxyEngine on
ProxyPass /proxy-path https://api-url.com/
ProxyPassReverse /proxy-path https://api-url.com/
<LocationMatch "/proxy-path">
    RequestHeader setifempty authorization "Basic base64Credentials"
</LocationMatch>

通过这种解决方案,LastPass没有身份验证标头可供扫描,并且请求带有身份验证标头传递到API。

代理的缺点是我们的响应时间增加了20-30毫秒。在我们的情况下,这不算多,可以接受。

英文:

We have now come up with a solution for this issue. We are using a proxy to set the authentication header and pass the request along to the api.

I remove the authentication from the original code and changed the url to the proxy path:

(function() {
  superagent(&#39;GET&#39;, &#39;https://example.com/proxy-path&#39;)
    .type(&#39;application/json&#39;)
    .then(res =&gt; {
      console.debug(&#39;res&#39;, res);
    })
    .catch(err =&gt; {
      console.debug(&#39;err&#39;, err)
    });
})();

Then in the apache we configured the proxy to add the header if it is not set:

SSLProxyEngine on
ProxyPass /proxy-path https://api-url.com/
ProxyPassReverse /proxy-path https://api-url.com/
&lt;LocationMatch &quot;/proxy-path&quot;&gt;
    RequestHeader setifempty authorization &quot;Basic base64Credentials&quot;
&lt;/LocationMatch&gt;

With this solution LastPass has no authentication header to scan and the request ist passed through to the api with the authentication header in place.

The disadvantage of the proxy is that we have an increased response time of 20-30ms. In our case this is not much and bearable .

huangapple
  • 本文由 发表于 2023年4月19日 19:03:07
  • 转载请务必保留本文链接:https://go.coder-hub.com/76053736.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定