Learning about the idea of the HTTP self-post

April 15, 2021

Suppose that you're on website B and it wants to send a large chunk of information to some endpoint on website A, through your browser. If this was a small amount of information, website B could use a HTTP redirect with the information stuffed into one or more query parameters. However, HTTP GET query parameters have a size limit and sometimes you have an especially verbose chunk of information to transfer. Enter what I've now seen called the "HTTP self-post". In a HTTP self-post, website B serves your browser a HTML page with a pre-filled POST form pointing to the endpoint on website A, and adds some Javascript to the page to immediately submit the form when the page loads.

(The page's HTML can have a little message telling you to 'Submit' things in case you have Javascript off.)

In one view, this is pretty close to cross-site request forgery and can only be told apart from it based on intent, which the browser can't really observe. In another view, this is essentially a POST based HTTP redirect, done through HTML and Javascript only because HTTP explicitly has no such thing (for good reasons). Of course, both views can be true at once.

You might ask, as I did when I read about this today, why website B doesn't make its own POST request to website A's endpoint instead of relaying its block of information through your browser. One reason is that website B may not be able to communicate directly with website A. Website B might be your corporate single sign on portal while website A is an internal web server inside your group's internal networks.

Another reason is that your browser may have to go back to website A anyway and coordinate with the information that website B is delivering to A. Again, consider SSO. Your browser has to return to website A to use it (and perhaps to be authorized), but website A needs to have the information from website B before it can do anything with you. It's simpler and more reliable to bolt these two things together, so that either you wind up on website A with it having all of the information necessary to move forward (in theory) or you go nowhere.

(In this scenario you visited website A as an unidentified and unauthenticated person and it sent you to website B to get identified. Your browser is the only thing guaranteed to be able to reach both websites, because if you can't reach one or the other nothing works.)

Hopefully I will never need to build a web system that uses HTTP self-post(ing), but at least now my ideas of how things can be done with HTTP have been expanded a bit. And if I do build such a system, I will have to carefully consider how to shield it from CSRF, since the two are so close to each other.

(This elaborates on a tweet of mine, which was written while I was slowly reading my way through the mod_auth_mellon user guide.)


Comments on this page:

From 193.219.181.219 at 2021-04-16 10:00:10:

You might ask, as I did when I read about this today, why website B doesn't make its own POST request to website A's endpoint instead of relaying its block of information through your browser. One reason is that website B may not be able to communicate directly with website A.

It may work in reverse though, since website B (the login portal) is likely to be accessible, so A should be able to query it – and I think that's what "Artifact" bindings are about, i.e. the IdP provides a short token through GET parameters and the service makes its own direct GET request to the IdP using that token. But I'm not sure if this ever gets used in practice, due to added complexity on both sides.

I should look into mod_auth_mellon again, but I've found that (surprisingly) mod_shib was easier to configure despite looking like a beast at first glance, as well as adding some security isolation due to handling the SAML messages in a separate process under its own uid.

Written on 15 April 2021.
« Link: "a2d<C-V>3gE: Vim normal mode grammar
A Firefox surprise from disabling dom.event.clipboardevents.enabled »

Page tools: View Source, View Normal, Add Comment.
Search:
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Thu Apr 15 23:45:13 2021
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.