Search completed in 1.08 seconds.
CredentialsContainer.get() - Web APIs
the get() method of the
credentialscontainer interface returns a promise to a single credential instance that matches the provided parameters.
... this method first collects all
credentials in the
credentialscontainer that meet the necessary criteria (defined in the options argument).
... from the resulting set of
credentials, it then selects the best one.
...And 8 more matches
Access-Control-Allow-Credentials - HTTP
the access-control-allow-
credentials response header tells browsers whether to expose the response to frontend javascript code when the request's
credentials mode (request.
credentials) is include.
... when a request's
credentials mode (request.
credentials) is include, browsers will only expose the response to frontend javascript code if the access-control-allow-
credentials value is true.
...
credentials are cookies, authorization headers or tls client certificates.
...And 7 more matches
CredentialsContainer - Web APIs
the
credentialscontainer interface of the the credential management api exposes methods to request
credentials and notify the user agent when events such as successful sign in or sign out happen.
... this interface is accessible from navigator.
credentials.
... methods
credentialscontainer.create()secure context returns a promise that resolves with a new credential instance based on the provided options, or null if no credential object can be created.
...And 4 more matches
PublicKeyCredentialRequestOptions.allowCredentials - Web APIs
allow
credentials is an optional property of the publickeycredentialrequestoptions dictionary which indicates the existing
credentials acceptable for retrieval.
... note: publickeycredentialcreationoptions.exclude
credentials may be used during the creation of the
credentials in order to avoid creating new
credentials for an existing user with existing public key credential.
... contrary to allow
credentials, it is used to filter out
credentials.
...And 4 more matches
Reason: expected ‘true’ in CORS header ‘Access-Control-Allow-Credentials’ - HTTP
reason reason: expected ‘true’ in cors header ‘access-control-allow-
credentials’ what went wrong?
... the cors request requires that the server permit the use of
credentials, but the server's access-control-allow-
credentials header's value isn't set to true to enable their use.
... to fix this problem on the client side, revise the code to not request the use of
credentials.
...And 4 more matches
Request.credentials - Web APIs
the
credentials read-only property of the request interface indicates whether the user agent should send cookies from the other domain in the case of cross-origin requests.
... syntax var mycred = request.
credentials; value a request
credentials dictionary value indicating whether the user agent should send cookies from the other domain in the case of cross-origin requests.
... same-origin: send user
credentials (cookies, basic http auth, etc..) if the url is on the same origin as the calling script.
...And 3 more matches
XMLHttpRequest.withCredentials - Web APIs
the xmlhttprequest.with
credentials property is a boolean that indicates whether or not cross-site access-control requests should be made using
credentials such as cookies, authorization headers or tls client certificates.
... setting with
credentials has no effect on same-site requests.
...xmlhttprequest from a different domain cannot set cookie values for their own domain unless with
credentials is set to true before making the request.
...And 3 more matches
PublicKeyCredentialCreationOptions.excludeCredentials - Web APIs
exclude
credentials, an optional property of the publickeycredentialcreationoptions dictionary, is an array whose elements are descriptors for the public keys already existing for a given user.
... this is provided by the relying party's server if it wants to prevent creation of new
credentials for an existing user.
... syntax exclude
credentials = publickeycredentialcreationoptions.exclude
credentials value an array whose elements are objects with the following properties: type a string describing type of public-key credential to be created.
...And 2 more matches
CredentialsContainer.create() - Web APIs
the create() method of the
credentialscontainer interface returns a promise that resolves with a new credential instance based on the provided options, or null if no credential object can be created.
... syntax var promise =
credentialscontainer.create([options]) parameters options an object of type credentialcreationoptions that contains options for the requested new
credentials object.
...contains requirements for creating/obtaining federated
credentials.
... web authentication: an api for accessing public key
credentials level 1 recommendation initial definition.
EventSource.withCredentials - Web APIs
the with
credentials read-only property of the eventsource interface returns a boolean indicating whether the eventsource object was instantiated with cors
credentials set.
... syntax var mywith
credentials = eventsource.with
credentials; value a boolean indicating whether the eventsource object was instantiated with cors
credentials set (true), or not (false, the default).
... examples var evtsource = new eventsource('sse.php'); console.log(evtsource.with
credentials); note: you can find a full example on github — see simple sse demo using php.
... specifications specification status comment html living standardthe definition of 'with
credentials' in that specification.
Navigator.credentials - Web APIs
the
credentials property of the navigator interface returns the
credentialscontainer interface, which exposes methods to request
credentials.
... the
credentialscontainer interface also notifies the user agent when an interesting event occurs, such as a successful sign-in or sign-out.
... syntax var
credentialscontainer = navigator.
credentials value the
credentialscontainer interface.
... example if ('
credentials' in navigator) { navigator.
credentials.get({password: true}) .then(function(creds) { //do something with the
credentials.
Feature-Policy: publickey-credentials-get - HTTP
the http feature-policy header publickey-
credentials-get directive controls whether the current document is allowed to access web authentcation api to create new public-key
credentials, i.e, via navigator.
credentials.get({publickey: ..., ...}).
... when this policy is enabled, any attempt to query public key
credentials will result in an error.
... syntax feature-policy: publickey-
credentials-get <allowlist>; <allowlist> an allowlist is a list of origins that takes one or more of the following values, separated by spaces: *: the feature will be allowed in this document, and all nested browsing contexts (iframes) regardless of their origin.
... definition of publickey-
credentials-get directive, default allowlist.
CredentialsContainer.preventSilentAccess() - Web APIs
the preventsilentaccess() method of the
credentialscontainer interface sets a flag that specifies whether automatic log in is allowed for future visits to the current origin, then returns an empty promise.
...mediation varies by origin, and is an added check point of browser stored
credentials, informing a user of an account login status.
... syntax var promise =
credentialscontainer.preventsilentaccess() parameters none.
CredentialsContainer.store() - Web APIs
the store() method of the
credentialscontainer stores a set of
credentials for the user inside a credential instance, returning this in a promise.
... syntax
credentialscontainer.store(credential).then(function(credential) { ...
... } ) parameters
credentials a valid credential instance.
passwords - Archive of obsolete content
interact with firefox's password manager to add, retrieve and remove stored
credentials.
... using this module you can: search for
credentials which have been stored in the password manager.
... you can then use the
credentials to access their related service (for example, by logging into a web site).
...And 31 more matches
Index - Web APIs
216 authenticatorassertionresponse api, authentication, authenticatorassertionresponse, interface, reference, web authentication api, webauthn the authenticatorassertionresponse interface of the web authentication api is returned by
credentialscontainer.get() when a publickeycredential is passed, and provides proof to a service that it has a key pair and that the authentication request is valid and approved.
...such an identifier can be used by the relying party's server to link the user account with its corresponding
credentials and other data.
... 220 authenticatorattestationresponse api, authentication, authenticatorattestationresponse, interface, reference, web authentication api, webauthn the authenticatorattestationresponse interface of the web authentication api is returned by
credentialscontainer.create() when a publickeycredential is passed, and provides a cryptographic root of trust for the new key pair that has been generated.
...And 27 more matches
Web Authentication API - Web APIs
similar to the other forms of the credential management api, the web authentication api has two basic methods that correspond to register and login: navigator.
credentials.create() - when used with the publickey option, creates new
credentials, either for registering a new account or for associating a new asymmetric key pair
credentials with an existing account.
... navigator.
credentials.get() - when used with the publickey option, uses an existing set of
credentials to authenticate to a service, either logging a user in or as a form of second-factor authentication.
... in order to understand how the create() and get() methods fit into the bigger picture, it is important to understand that they sit between two components that are outside the browser: server - the web authentication api is intended to register new
credentials on a server (also referred to as a service or a relying party) and later use those same
credentials on that same server to authenticate a user.
...And 12 more matches
HTTP authentication - HTTP
a client that wants to authenticate itself with the server can then do so by including an authorization request header with the
credentials.
...in the case of proxies, the challenging status code is 407 (proxy authentication required), the proxy-authenticate response header contains at least one challenge applicable to the proxy, and the proxy-authorization request header is used for providing the
credentials to the proxy server.
... access forbidden if a (proxy) server receives valid
credentials that are inadequate to access a given resource, the server should respond with the 403 forbidden status code.
...And 9 more matches
Cross-Origin Resource Sharing (CORS) - HTTP
servers can also inform clients whether "
credentials" (such as cookies and http authentication) should be sent with requests.
... requests with
credentials the most interesting capability exposed by both xmlhttprequest or fetch and cors is the ability to make "credentialed" requests that are aware of http cookies and http authentication information.
... by default, in cross-site xmlhttprequest or fetch invocations, browsers will not send
credentials.
...And 9 more matches
Credential Management API - Web APIs
the credential management api lets a website store and retrieve user, federated, and public key
credentials.
... credential management concepts and usage this api lets websites interact with a user agent’s password system so that websites can deal in a uniform way with site
credentials and user agents can provide better assistance with the management of their
credentials.
...to address these problems, the credential management api provides ways for a website to store and retrieve different types of
credentials.
...And 6 more matches
HTTP Index - HTTP
30 reason: credential is not supported if the cors header ‘access-control-allow-origin’ is ‘*’ cors, corsnotsupporting
credentials, cross-origin, error, http, https, messages, reasons, security, console, troubleshooting the cors request was attempted with the
credentials flag set, but the server is configured using the wildcard ("*") as the value of access-control-allow-origin, which doesn't allow the use of
credentials.
... 33 reason: expected ‘true’ in cors header ‘access-control-allow-
credentials’ cors, corsmissingallow
credentials, cross-origin, error, http, https, messages, reasons, security, console, troubleshooting the cors request requires that the server permit the use of
credentials, but the server's access-control-allow-
credentials header's value isn't set to true to enable their use.
... 55 access-control-allow-
credentials access-control-allow-
credentials, cors, http, reference,
credentials, header the access-control-allow-
credentials response header tells browsers whether to expose the response to frontend javascript code when the request's
credentials mode (request.
credentials) is include.
...And 6 more matches
Using Fetch - Web APIs
fetch won’t send cookies, unless you set the
credentials init option.
...the spec changed the default
credentials policy to same-origin.
... mode: 'cors', // no-cors, *cors, same-origin cache: 'no-cache', // *default, no-cache, reload, force-cache, only-if-cached
credentials: 'same-origin', // include, *same-origin, omit headers: { 'content-type': 'application/json' // 'content-type': 'application/x-www-form-urlencoded', }, redirect: 'follow', // manual, *follow, error referrerpolicy: 'no-referrer', // no-referrer, *no-referrer-when-downgrade, origin, origin-when-cross-origin, same-origin, strict-origin, strict-origin-when-cross-origin, un...
...And 4 more matches
PublicKeyCredentialCreationOptions - Web APIs
the publickeycredentialcreationoptions dictionary of the web authentication api holds options passed to navigators.
credentials.create() in order to create a publickeycredential.
... publickeycredentialcreationoptions.exclude
credentials optional an array of descriptors for existing
credentials.
... this is provided by the relying party to avoid creating new public key
credentials for an existing user who already have some.
...And 4 more matches
PublicKeyCredential.response - Web APIs
the response read-only property of the publickeycredential interface is an authenticatorresponse object which is sent from the authenticator to the user agent for the creation/fetching of
credentials.
... an authenticatorresponse is either: an authenticatorattestationresponse (when the publickeycredential is created via
credentialscontainer.create()) an authenticatorassertionresponse (when the publickeycredential is obtained via
credentialscontainer.get()).
... in order to validate the creation of
credentials, a relying party's server needs both: this response the extensions of the client (given by publickeycredential.getclientextensionresults()) to validate the demand.
...And 3 more matches
HTML attribute: crossorigin - HTML: Hypertext Markup Language
these attributes are enumerated, and have the following possible values: keyword description anonymous cors requests for this element will have the
credentials flag set to 'same-origin'.
... use-
credentials cors requests for this element will have the
credentials flag set to 'include'.
...the "anonymous" keyword means that there will be no exchange of user
credentials via cookies, client-side ssl certificates or http authentication as described in the terminology section of the cors specification, unless it is in the same origin.
...And 3 more matches
PublicKeyCredential - Web APIs
this identifier can be used to look up
credentials for future calls to
credentialscontainer.get.
...it is either of type authenticatorattestationresponse if the publickeycredential was the results of a navigator.
credentials.create() call, or of type authenticatorassertionresponse if the publickeycredential was the result of a navigator.
credentials.get() call.
... examples creating a new instance of publickeycredential here, we use navigator.
credentials.create() to generate a new credential.
...And 2 more matches
PublicKeyCredentialRequestOptions - Web APIs
the publickeycredentialrequestoptions dictionary of the web authentication api holds the options passed to navigator.
credentials.get() in order to fetch a given publickeycredential.
... publickeycredentialrequestoptions.allow
credentials optional an array of
credentials descriptor which restricts the acceptable existing
credentials for retrieval.
...dealing with legacy fido apis
credentials, prompting a specific text on the authenticator, etc.).
...And 2 more matches
Reason: Credential is not supported if the CORS header ‘Access-Control-Allow-Origin’ is ‘*’ - HTTP
the cors request was attempted with the
credentials flag set, but the server is configured using the wildcard ("*") as the value of access-control-allow-origin, which doesn't allow the use of
credentials.
... to correct this problem on the client side, simply ensure that the
credentials flag's value is false when issuing your cors request.
... if the request is being issued using xmlhttprequest, make sure you're not setting with
credentials to true.
...And 2 more matches
Website security - Learn web development
cross-site request forgery (csrf) csrf attacks allow a malicious user to execute actions using the
credentials of another user without that user’s knowledge or consent.
... note: the trick here is that john doesn't need to have access to the user's cookies (or access
credentials).
...this technique might be used, for example, to display a legitimate bank site but capture the login
credentials into an invisible <iframe> controlled by the attacker.
...this ensures that login
credentials, cookies, post requests data and header information are not easily available to attackers.
AuthenticatorAssertionResponse.userHandle - Web APIs
such an identifier can be used by the relying party's server to link the user account with its corresponding
credentials and other data.
... note: an authenticatorassertionresponse instance is available on publickeycredential.response after calling navigator.
credentials.get().
...username, e-mail, phone number, etc.) examples var options = { challenge: new uint8array(26), // will be another value, provided by the relying party server timeout: 60000 }; navigator.
credentials.get({ publickey: options }) .then(function (assertionpkcred) { var userhandle = assertionpkcred.response.userhandle; // send response and client extensions to the server so that it can // go on with the authentication }).catch(function (err) { console.error(err); }); specifications specification status comment web authentication: an api for acces...
...sing public key
credentials level 1the definition of 'userhandle' in that specification.
HTMLImageElement.crossOrigin - Web APIs
permitted values are: anonymous requests by the <img> element have their mode set to cors and their
credentials mode set to same-origin.
... this means that cors is enabled and
credentials are sent if the image is fetched from the same origin from which the document was loaded.
... use-
credentials requests by the htmlimageelement will use the cors mode and the include
credentials mode; all image requests by the element will use cors, regardless of what domain the fetch is from.
... example in this example, a new <img> element is created and added to the document, loading the image with the anonymous state; the image will be loaded using cors and
credentials will be used for all cross-origin loads.
PublicKeyCredentialCreationOptions.user - Web APIs
the user property of the publickeycredentialcreationoptions dictionary is an object describing the user account for which the
credentials are generated (via navigator.
credentials.create()).
...this an opaque identifier which can be used by the authenticator to link the user account with its corresponding
credentials.
... this value will later be used when fetching the
credentials in authenticatorassertionresponse.userhandle.
... name: "example corp", id : "login.example.com" }, user: { // to be changed for each user id: new uint8array.from(window.atob("laegmlkjnrlkgnamlafalfka="), c=>c.charcodeat(0)); name: "jdoe@example.com", displayname: "john doe", icon: "https://gravatar.com/avatar/jdoe.png" }, pubkeycredparams: [ { type: "public-key", alg: -7 } ] }; navigator.
credentials.create({ publickey }) .then(function (newcredentialinfo) { // send attestation response and client extensions // to the server to proceed with the registration // of the credential }).catch(function (err) { console.error(err); }); specifications specification status comment web authentication: an api for accessing public key
credentials level 1...
Authorization - HTTP
the http authorization request header contains the
credentials to authenticate a user agent with a server, usually, but not necessarily, after the server has responded with a 401 unauthorized status and the www-authenticate header.
... header type request header forbidden header name no syntax authorization: <type> <
credentials> directives <type> authentication type.
...other types: iana registry of authentication schemes authentification for aws servers (aws4-hmac-sha256) <
credentials> if the "basic" authentication scheme is used, the
credentials are constructed like this: the username and the password are combined with a colon (aladdin:opensesame).
...this method is equally secure as sending the
credentials in clear text (base64 is a reversible encoding).
Proxy-Authorization - HTTP
the http proxy-authorization request header contains the
credentials to authenticate a user agent to a proxy server, usually after the server has responded with a 407 proxy authentication required status and the proxy-authenticate header.
... header type request header forbidden header name no syntax proxy-authorization: <type> <
credentials> directives <type> authentication type.
... <
credentials> the
credentials are constructed like this: the username and the password are combined with a colon (aladdin:opensesame).
...this method is equally secure as sending the
credentials in clear text (base64 is a reversible encoding).
How do you upload your files to a web server? - Learn web development
your account is: demozilla your website will be visible at demozilla.examplehostingprovider.net to publish to this account, please connect through sftp with the following
credentials: sftp server: sftp://demozilla.examplehostingprovider.net username: demozilla password: quickbrownfox port: 5548 to publish on the web, put your files into the public/htdocs directory.
... user@ is the
credentials of the user on the remote server you want to copy files over to.
... again, you would have to get the connection
credentials from your hosting provider, but this way you'd have a gui to enter them in.
nsIMsgCloudFileProvider
void refreshuserinfo(in boolean awithui, in nsirequestobserver acallback); parameters awithui whether or not the provider should prompt the user for credentails in the event that the stored
credentials have gone stale.
... if awithui is false, and the
credentials are stale, the onstoprequest of the acallback nsirequestlistener will get the autherr status code passed to it.
... createexistingaccount() for an init'ed nsimsgcloudfileprovider, attempts to communicate with the service provider in order to get the proper
credentials for starting uploads.
Console messages - Firefox Developer Tools
this is a security risk that allows user login
credentials to be stolen.
...this is a security risk that allows user login
credentials to be stolen.
...this is a security risk that allows user login
credentials to be stolen.
AuthenticatorAssertionResponse.authenticatorData - Web APIs
this is only present during a navigator.
credentials.create() call.
... examples var options = { challenge: new uint8array(26), // will be another value, provided by the relying party server timeout: 60000 }; navigator.
credentials.get({ publickey: options }) .then(function (assertionpkcred) { var authenticatordata = assertionpkcred.response.authenticatordata; // maybe try to convert the authenticatordata to see what's inside // send response and client extensions to the server so that it can // go on with the authentication }).catch(function (err) { console.error(err); }); specifications ...
... specification status comment web authentication: an api for accessing public key
credentials level 1the definition of 'authenticatordata' in that specification.
AuthenticatorAssertionResponse.signature - Web APIs
note: an authenticatorassertionresponse instance is available on publickeycredential.response after calling navigator.
credentials.get().
... examples var options = { challenge: new uint8array(26), // will be another value, provided by the relying party server timeout: 60000 }; navigator.
credentials.get({ publickey: options }) .then(function (assertionpkcred) { var signature = assertionpkcred.response.signature; // send response and client extensions to the server so that it can // go on with the authentication }).catch(function (err) { console.error(err); }); specifications specification status comment web authentication: an api for accessi...
...ng public key
credentials level 1the definition of 'signature' in that specification.
AuthenticatorAssertionResponse - Web APIs
the authenticatorassertionresponse interface of the web authentication api is returned by
credentialscontainer.get() when a publickeycredential is passed, and provides proof to a service that it has a key pair and that the authentication request is valid and approved.
...the assertion signature is created with the private key of keypair that was created during the navigator.
credentials.create() call and verified using the public key of that same keypair.
... examples var options = { challenge: new uint8array([/* bytes sent from the server */]) }; navigator.
credentials.get({ "publickey": options }) .then(function (credentialinfoassertion) { var assertionresponse = credentialinfoassertion.response; // do something specific with the response // send assertion response back to the server // to proceed with the control of the credential }).catch(function (err) { console.error(err); }); specifications specification status comment web authentication: an api for accessing public key
credentials level 1the definition of 'authenticatorassertionresponse interface' i...
AuthenticatorAttestationResponse.attestationObject - Web APIs
as part of the
credentialscontainer.create() call, an authenticator will create a new keypair as well as an attestationobject for that keypair.
... examples var publickey = { challenge: /* from the server */, rp: { name: "example corp", id : "login.example.com" }, user: { id: new uint8array(16), name: "jdoe@example.com", displayname: "john doe" }, pubkeycredparams: [ { type: "public-key", alg: -7 } ] }; navigator.
credentials.create({ publickey }) .then(function (newcredentialinfo) { var attestationobj = newcredentialinfo.response.attestationobject; // this will be a cbor encoded arraybuffer // do something with the response // (sending it back to the relying party server maybe?) }).catch(function (err) { console.error(err); }); specifications specification status comment ...
... web authentication: an api for accessing public key
credentials level 1the definition of 'attestationobject' in that specification.
AuthenticatorResponse - Web APIs
authenticatorassertionresponse authenticatorattestationresponse properties authenticatorresponse.clientdatajson a json string in an arraybuffer, representing the client data that was passed to
credentialscontainer.create() or
credentialscontainer.get().
... examples getting an authenticatorassertionresponse var options = { challenge: new uint8array([/* bytes sent from the server */]) }; navigator.
credentials.get({ "publickey": options }) .then(function (credentialinfoassertion) { var assertionresponse = credentialinfoassertion.response; // send assertion response back to the server // to proceed with the control of the credential }).catch(function (err) { console.error(err); }); getting an authenticatorattestationresponse var publickey = { challenge: /* from the server */, rp: { name: "example corp", id : "login.example.com" }, user: { id: new uint8array(16), name: "jdoe@example.com", displayname: "john doe" }, pubkeycredparams: [ { type: "public-key", alg:...
... -7 } ] }; navigator.
credentials.create({ publickey }) .then(function (newcredentialinfo) { var attestationresponse = newcredentialinfo.response; }).catch(function (err) { console.error(err); }); specifications specification status comment web authentication: an api for accessing public key
credentials level 1the definition of 'authenticatorresponse interface' in that specification.
Fetch API - Web APIs
fetch() won’t send cookies, unless you set
credentials: 'same-origin'.
... in august 2017, the spec changed the default
credentials policy to 'same-origin'.
... if you are targetting older versions of these browsers, be sure to include
credentials: 'same-origin' init option on all api requests that may be affected by cookies/user login state.
PublicKeyCredential.getClientExtensionResults() - Web APIs
during the creation or fetching of a publickeycredential (respectively via navigator.
credentials.create() and navigator.
credentials.get()), it is possible to have "custom" processing by the client for different extensions which are respectively given by publickeycredentialcreationoptions.extensions and publickeycredentialrequestoptions.extensions.
... // user verification index: how the user was verified }, challenge: new uint8array(16) /* from the server */, rp: { name: "example corp", id : "login.example.com" }, user: { id: new uint8array(16) /* from the server */, name: "jdoe@example.com", displayname: "john doe" }, pubkeycredparams: [ { type: "public-key", alg: -7 } ] }; navigator.
credentials.create({ publickey }) .then(function (newcredentialinfo) { var mybuffer = newcredentialinfo.getclientextensionresults(); // mybuffer will contain the result of any of the processing of the "loc" and "uvi" extensions }).catch(function (err) { console.error(err); }); specifications specification status comment web authentication: an api for accessing...
... public key
credentials level 1the definition of 'getclientextensionresults()' in that specification.
PublicKeyCredential.rawId - Web APIs
the rawid read-only property of the publickeycredential interface is an arraybuffer object containing the identifier of the
credentials.
... syntax rawid = publickeycredential.rawid value a arraybuffer containing the identifier of the
credentials.
... examples var options = { challenge: new uint8array(26) /* from the server */, rp: { name: "example corp", id : "login.example.com" }, user: { id: new uint8array(26), /* to be changed for each user */ name: "jdoe@example.com", displayname: "john doe", }, pubkeycredparams: [ { type: "public-key", alg: -7 } ] }; navigator.
credentials.create({ publickey: options }) .then(function (pubkeycredential) { var rawid = pubkeycredential.rawid; // do something with rawid }).catch(function (err) { // deal with any error }); specifications specification status comment web authentication: an api for accessing public key
credentials level 1the definition of 'rawid' in that specification.
PublicKeyCredentialCreationOptions.extensions - Web APIs
note: an analogous option exists for the fetching operation (navigators.
credentials.get()), see publickeycredentialrequestoptions.extensions.
...e, uvm: false, exts: true }, challenge: new uint8array(26) /* this actually is given from the server */, rp: { name: "example corp", id : "login.example.com" }, user: { id: new uint8array(26), /* to be changed for each user */ name: "jdoe@example.com", displayname: "john doe", }, pubkeycredparams: [ { type: "public-key", alg: -7 } ] }; navigator.
credentials.create({ publickey }) .then(function (newcredentialinfo) { // mybuffer will contain the result of any of the processing of the extensions var mybuffer = newcredentialinfo.getclientextensionresults(); // send attestation response and client extensions // to the server to proceed with the registration // of the credential }).catch(function (err) { console.error(err); ...
... }); specifications specification status comment web authentication: an api for accessing public key
credentials level 1the definition of 'extensions' in that specification.
Request - Web APIs
request.context read only contains the context of the request (e.g., audio, image, iframe, etc.) request.
credentials read only contains the
credentials of the request (e.g., omit, same-origin, include).
... examples in the following snippet, we create a new request using the request() constructor (for an image file in the same directory as the script), then return some property values of the request: const request = new request('https://www.mozilla.org/favicon.ico'); const url = request.url; const method = request.method; const
credentials = request.
credentials; you could then fetch this request by passing the request object in as a parameter to a windoworworkerglobalscope.fetch() call, for example: fetch(request) .then(response => response.blob()) .then(blob => { image.src = url.createobjecturl(blob); }); in the following snippet, we create a new request using the request() constructor with some initial data and body...
... content for an api request which need a body payload: const request = new request('https://example.com', {method: 'post', body: '{"foo": "bar"}'}); const url = request.url; const method = request.method; const
credentials = request.
credentials; const bodyused = request.bodyused; note: the body type can only be a blob, buffersource, formdata, urlsearchparams, usvstring or readablestream type, so for adding a json object to the payload you need to stringify that object.
WindowOrWorkerGlobalScope.fetch() - Web APIs
credentials the request
credentials you want to use for the request: omit, same-origin, or include.
... typeerror the specified url string includes user
credentials.
... living standard initial definition credential management level 1 working draft adds federatedcredential or passwordcredential instance as a possible value for init.
credentials.
Worklet.addModule() - Web APIs
options optional an object with any of the following options:
credentials: a request
credentials value that indicates whether to send
credentials (e.g.
...see also request.
credentials.
... examples audioworklet example const audioctx = new audiocontext(); const audioworklet = audioctx.audioworklet; await audioworklet.addmodule('modules/bypassfilter.js', {
credentials: 'omit', }); paintworklet example css.paintworklet.addmodule('https://mdn.github.io/houdini-examples/csspaint/intro/worklets/hilite.js'); once a paintworklet is included, the css paint() function can be used to include the image created by the worklet: @supports (background-image: paint(id)) { h1 { background-image: paint(hollowhighlights, filled, 3px); } } specifications ...
<audio>: The Embed Audio element - HTML: Hypertext Markup Language
if the server does not give
credentials to the origin site (by not setting the access-control-allow-origin: http header), the image will be tainted, and its usage restricted.
... use-
credentials sends a cross-origin request with a credential.
...if the server does not give
credentials to the origin site (through access-control-allow-
credentials: http header), the image will be tainted and its usage restricted.
<img>: The Image Embed element - HTML: Hypertext Markup Language
allowed values: anonymous a cors request is sent with
credentials omitted (that is, no cookies, x.509 certificates, or authorization request header).
... use-
credentials the cors request is sent with any
credentials included (that is, cookies, x.509 certificates, and the authorization request header).
... if the server does not opt into sharing
credentials with the origin site (by sending back the access-control-allow-
credentials: true response header), then the browser marks the image as tainted and restricts access to its image data.
<link>: The External Resource Link element - HTML: Hypertext Markup Language
if the server does not give
credentials to the origin site (by not setting the access-control-allow-origin http header) the resource will be tainted and its usage restricted.
... use-
credentials a cross-origin request (i.e.
...if the server does not give
credentials to the origin site (through access-control-allow-
credentials http header), the resource will be tainted and its usage restricted.
<video>: The Video Embed element - HTML: Hypertext Markup Language
if the server does not give
credentials to the origin site (by not setting the access-control-allow-origin: http header), the image will be tainted, and its usage restricted.
... use-
credentials sends a cross-origin request with a credential.
...if the server does not give
credentials to the origin site (through access-control-allow-
credentials: http header), the image will be tainted and its usage restricted.
Access-Control-Expose-Headers - HTTP
* (wildcard) the value "*" only counts as a special wildcard value for requests without
credentials (requests without http cookies or http authentication information).
... in requests with
credentials, it is treated as the literal header name "*" without special semantics.
... examples to expose a non-cors-safelisted request header, you can specify: access-control-expose-headers: content-length to additionally expose a custom header, like x-kuma-revision, you can specify multiple headers separated by a comma: access-control-expose-headers: content-length, x-kuma-revision in requests without
credentials, you can also use a wildcard value: access-control-expose-headers: * however, this won't wildcard the authorization header, so if you need to expose that, you will need to list it explicitly: access-control-expose-headers: *, authorization specifications specification status comment fetchthe definition of 'access-control-expose-headers' in that specification.
Index - HTTP
7 access-control-allow-
credentials cors, http, reference, header the access-control-allow-
credentials response header tells browsers whether to expose the response to frontend javascript code when the request's
credentials mode (request.
credentials) is "include".
... 18 authorization http, http header, reference, request header, header the http authorization request header contains the
credentials to authenticate a user agent with a server, usually after the server has responded with a 401 unauthorized status and the www-authenticate header.
... 90 proxy-authorization http, http header, reference, request header, header the http proxy-authorization request header contains the
credentials to authenticate a user agent to a proxy server, usually after the server has responded with a 407 proxy authentication required status and the proxy-authenticate header.
HTTP headers - HTTP
authorization contains the
credentials to authenticate a user-agent with a server.
... proxy-authorization contains the
credentials to authenticate a user agent with a proxy server.
... access-control-allow-
credentials indicates whether the response to the request can be exposed when the
credentials flag is true.
jpm - Archive of obsolete content
to get values for --api-key and --api-secret, you will need to create api
credentials on addons.mozilla.org.
...you should revoke and regenerate compromised api
credentials immediately.
Downloading Files - Archive of obsolete content
lfprogress, acurtotalprogress, amaxtotalprogress) { var percentcomplete = math.round((acurtotalprogress / amaxtotalprogress) * 100); progresselement.textcontent = percentcomplete +"%"; }, onstatechange: function(awebprogress, arequest, astateflags, astatus) { // do something } } persist.saveuri(obj_uri, null, null, null, "", targetfile, privacy); downloading files that require
credentials before calling nsiwebbrowserpersist.saveuri(), you need to set the progresslistener property of the nsiwebbrowserpersist instance to an object that implements nsiauthprompt.
... normally, nsiauthprompt expects a prompt to be displayed so the user can enter
credentials, but you can return a username and password
credentials directly without prompting the user.
Index - Archive of obsolete content
52 passwords add-on sdk interact with firefox's password manager to add, retrieve and remove stored
credentials.
... 450 firefox accounts oauth dashboard authentication, firefox accounts, identity, mozilla, fxa fxa oauth credential management dashboard is a web application that lets you provision firefox accounts oauth
credentials.
SQL Injection - MDN Web Docs Glossary: Definitions of Web-related terms
word, behind the gui the sql queries work as follows: "select count(*) from users where username=' " + txt.user.text+" ' and password=' "+ txt.password.text+" ' "; now suppose user enters the username: admin and password: passwd123, so after clicking on the log in button, sql query will run as follows: "select count(*) from users where username=' admin ' and password=' passwd123 ' "; if the
credentials are correct, then the user is allowed to log in, so it's a very simple (and therefore insecure) mechanism.
... how to prevent before executing the queries for the user
credentials, make some changes like the following: $id = $_get['id'] (1) $id = stripslashes($id) (2) $id = mysql_real_escape_string($id) so due to (1) each single quote (') in the input string is replaced with double quotes ("), and due to (2) before every (') it adds (/).
Integrated Authentication
so, it is paramount that the browser does not freely exchange ntlm user
credentials with any server that requests them.
... the ntlm response includes a hash of the user's logon
credentials.
Phishing: a short definition
the login portal might resemble the trusted website's login page very closely, and convince users to enter their
credentials, letting others hijack their account.
...users look for these when logging in, and only enter their
credentials when they recognize the user defined pictures or words.
NSS 3.51.1 release notes
notable changes in nss 3.51.1 bug 1617968 - update delegated
credentials implementation to draft-07.
... bug 1617968 - update delegated
credentials implementation to draft-07.
XPCOM Interface Reference by grouping
sagemanager nsiscriptableio nsixpcscriptable future nsixmlhttprequestupload obsolete nsixmlrpcclient nsixmlrpcfault security auth nsiauthmodule nsiauthprompt nsiauthpromptprovider nsiauthpromptwrapper nsiasyncverifyredirectcallback content nsicontentpolicy
credentials nsilogininfo nsiloginmanager using nsiloginmanager nsiloginmanagerstorage nsiloginmetainfo history nsiglobalhistory nsiglobalhistory2 nsiglobalhistory3 ssl nsibadcertlistener2 system action nsicancelable application ...
... nsialertsservice nsiwebprogress nsiwebprogresslistener nsiwebprogresslistener2 update nsiupdate nsiupdatechecker nsiupdatechecklistener nsiupdateitem nsiupdatemanager nsiupdatepatch nsiupdateprompt nsiupdatetimermanager nsiprogramminglanguage thunderbird
credentials nsimsgaccountmanagerextension element nsieditormailsupport message nsidbchangeannouncer nsidbchangelistener nsimessenger nsimsgcompfields nsimsgcustomcolumnhandler nsimsgdatabase nsimsgdbhdr nsimsgdbview nsimsgdbviewcommandupdater nsimsgfolder nsimsgidentity nsims...
AuthenticatorAttestationResponse.getTransports() - Web APIs
note: an authenticatorattestationresponse instance is available on publickeycredential.response after calling navigator.
credentials.create().
... examples var publickey = { challenge: /* from the server */, rp: { name: "example corp", id : "login.example.com" }, user: { id: new uint8array(16), name: "jdoe@example.com", displayname: "john doe" }, pubkeycredparams: [ { type: "public-key", alg: -7 } ] }; navigator.
credentials.create({ publickey }) .then(function (newcredentialinfo) { var transports = newcredentialinfo.response.gettransports(); console.table(transports); // may be something like ["internal", "nfc", "usb"] }).catch(function (err) { console.error(err); }); specifications specification status comment web authentication: an api for accessing public key crede...
AuthenticatorAttestationResponse - Web APIs
the authenticatorattestationresponse interface of the web authentication api is returned by
credentialscontainer.create() when a publickeycredential is passed, and provides a cryptographic root of trust for the new key pair that has been generated.
... examples var publickey = { challenge: /* from the server */, rp: { name: "example corp", id : "login.example.com" }, user: { id: new uint8array(16), name: "jdoe@example.com", displayname: "john doe" }, pubkeycredparams: [ { type: "public-key", alg: -7 } ] }; navigator.
credentials.create({ publickey }) .then(function (newcredentialinfo) { var response = newcredentialinfo.response; // do something with the response // (sending it back to the relying party server maybe?) }).catch(function (err) { console.error(err); }); specifications specification status comment web authentication: an api for accessing public key credenti...
AuthenticatorResponse.clientDataJSON - Web APIs
the clientdatajson property of the authenticatorresponse interface stores a json string in an arraybuffer, representing the client data that was passed to
credentialscontainer.create() or
credentialscontainer.get().
...clientdataobj = json.parse(clientdatastr); console.log(clientdataobj.type); // "webauthn.create" or "webauthn.get" console.log(clientdataobj.challenge); // base64 encoded string containing the original challenge console.log(clientdataobj.origin); // the window.origin specifications specification status comment web authentication: an api for accessing public key
credentials level 1the definition of 'clientdatajson' in that specification.
EventSource - Web APIs
constructor eventsource() creates a new eventsource to handle receiving server-sent events from a specified url, optionally in
credentials mode.
... eventsource.with
credentials read only a boolean indicating whether the eventsource object was instantiated with cross-origin (cors)
credentials set (true), or not (false, the default).
FederatedCredential - Web APIs
the federatedcredential interface of the the credential management api provides information about
credentials from a federated identity provider.
... examples var cred = new federatedcredential({ id: id, name: name, provider: 'https://account.google.com', iconurl: iconurl }); // store it navigator.
credentials.store(cred) .then(function() { // do something else.
PasswordCredential - Web APIs
var form = document.queryselector('#form'); var creds = new passwordcredential(form); // store the
credentials.
... navigator.
credentials.store(creds) .then(function(creds) { // do something with the
credentials if you need to.
PasswordCredential.additionalData - Web APIs
the data in the objects will be added to the request body and sent to the remote endpoint with the
credentials.
...navigator.
credentials.get(options).then(function(creds) { if (creds.type == 'password') { var form = new formdata(); var csrf_token = document.queryselector('csrf_token').value; form.append('csrf_token', csrf_token); creds.additionaldata = form; fetch('https://www.example.com', { method: 'post',
credentials: creds }); }; }); specifications specification status ...
PasswordCredential - Web APIs
the data in the objects will be added to the request body and sent to the remote endpoint with the
credentials.
... examples var cred = new passwordcredential({ id: id, password: password, name: name, iconurl: iconurl }); navigator.
credentials.store(cred) .then(function() { // do something else.
Payment Request API - Web APIs
credentials management: users can manage their credit cards and shipping addresses directly in the browser.
... a browser can also sync these "
credentials" across devices, making it easy for users to jump from desktop to mobile and back again when buying things.
PublicKeyCredential.id - Web APIs
mples var publickey = { challenge: new uint8array(26) /* this actually is given from the server */, rp: { name: "example corp", id : "login.example.com" }, user: { id: new uint8array(26), /* to be changed for each user */ name: "jdoe@example.com", displayname: "john doe", }, pubkeycredparams: [ { type: "public-key", alg: -7 } ] }; navigator.
credentials.create({ publickey }) .then(function (newcredentialinfo) { var id = newcredentialinfo.id; // do something with the id // send attestation response and client extensions // to the server to proceed with the registration // of the credential }).catch(function (err) { console.error(err); }); specifications specification status comment we...
...b authentication: an api for accessing public key
credentials level 1the definition of 'id' in that specification.
PublicKeyCredentialCreationOptions.challenge - Web APIs
note: when the credential is retrieved with a navigator.
credentials.get() call, the signature of the challenge is contained in authenticatorassertionresponse.signature.
...mples var publickey = { challenge: new uint8array(26) /* this actually is given from the server */, rp: { name: "example corp", id : "login.example.com" }, user: { id: new uint8array(26), /* to be changed for each user */ name: "jdoe@example.com", displayname: "john doe", }, pubkeycredparams: [ { type: "public-key", alg: -7 } ] }; navigator.
credentials.create({ publickey }) .then(function (newcredentialinfo) { // send attestation response and client extensions // to the server to proceed with the registration // of the credential }).catch(function (err) { console.error(err); }); specifications specification status comment web authentication: an api for accessing public key
credentials level 1...
PublicKeyCredentialCreationOptions.rp - Web APIs
the rp property of the publickeycredentialcreationoptions dictionary is an object describing the relying party which requested the credential creation (via navigator.
credentials.create()).
... examples var publickey = { challenge: /* from the server */, rp: { name: "example corp", id : "login.example.com", icon: "https://login.example.com/login.ico" }, user: { id: new uint8array(16), name: "jdoe@example.com", displayname: "john doe" }, pubkeycredparams: [ { type: "public-key", alg: -7 } ] }; navigator.
credentials.create({ publickey }) .then(function (newcredentialinfo) { // send attestation response and client extensions // to the server to proceed with the registration // of the credential }).catch(function (err) { console.error(err); }); specifications specification status comment web authentication: an api for accessing public key
credentials level 1...
PublicKeyCredentialCreationOptions.timeout - Web APIs
note: an analogous option exists for the fetching operation (navigators.
credentials.get()), see publickeycredentialrequestoptions.timeout.
... challenge: new uint8array(26) /* this actually is given from the server */, rp: { name: "example corp", id : "login.example.com" }, user: { id: new uint8array(26), /* to be changed for each user */ name: "jdoe@example.com", displayname: "john doe", }, pubkeycredparams: [ { type: "public-key", alg: -7 } ] }; navigator.
credentials.create({ publickey }) .then(function (newcredentialinfo) { // send attestation response and client extensions // to the server to proceed with the registration // of the credential }).catch(function (err) { console.error(err); }); specifications specification status comment web authentication: an api for accessing public key
credentials level 1...
PublicKeyCredentialRequestOptions.challenge - Web APIs
note: when the credential is created with a navigator.
credentials.create() call, the signature of the challenge is contained within authenticatorattestationresponse.attestationobject.
... examples var options = { challenge: new uint8array([/* bytes sent from the server */]) }; navigator.
credentials.get({ "publickey": options }) .then(function (credentialinfoassertion) { // send assertion response back to the server // to proceed with the control of the credential }).catch(function (err) { console.error(err); }); specifications specification status comment web authentication: an api for accessing public key
credentials level 1the definition of...
PublicKeyCredentialRequestOptions.extensions - Web APIs
note: an analogous option exists for the creation operation (navigators.
credentials.create()), see publickeycredentialcreationoptions.extensions.
... examples var options = { extensions: { uvm: true, loc: false, txauthsimple: "could you please verify yourself?" }, challenge: new uint8array([/* bytes sent from the server */]) }; navigator.
credentials.get({ "publickey": options }) .then(function (credentialinfoassertion) { // send assertion response back to the server // to proceed with the control of the credential }).catch(function (err) { console.error(err); }); specifications specification status comment web authentication: an api for accessing public key
credentials level 1the definition of...
PublicKeyCredentialRequestOptions.rpId - Web APIs
note: an analogous option exists for the creation operation (navigators.
credentials.create()), see the id property of publickeycredentialcreationoptions.rp.
... examples var options = { challenge: new uint8array([/* bytes sent from the server */]), rpid: "example.com" // will only work if the current domain // is something like foo.example.com }; navigator.
credentials.get({ "publickey": options }) .then(function (credentialinfoassertion) { // send assertion response back to the server // to proceed with the control of the credential }).catch(function (err) { console.error(err); }); specifications specification status comment web authentication: an api for accessing public key
credentials level 1the definition of ...
PublicKeyCredentialRequestOptions.timeout - Web APIs
note: an analogous option exists for the creation operation (navigators.
credentials.create()), see publickeycredentialcreationoptions.timeout.
... examples var options = { challenge: new uint8array([/* bytes sent from the server */]), timeout: 6000 // wait a minute for the fetching operation // and maybe fail if it takes longer }; navigator.
credentials.get({ "publickey": options }) .then(function (credentialinfoassertion) { // send assertion response back to the server // to proceed with the control of the credential }).catch(function (err) { console.error(err); }); specifications specification status comment web authentication: an api for accessing public key
credentials level 1the definition of ...
PublicKeyCredentialRequestOptions.userVerification - Web APIs
note: an analogous option exists for the creation operation (navigators.
credentials.create()), see the userverification property of publickeycredentialcreationoptions.authenticatorselection.
... examples var options = { userverification: "preferred", challenge: new uint8array([/* bytes sent from the server */]), }; navigator.
credentials.get({ "publickey": options }) .then(function (credentialinfoassertion) { // send assertion response back to the server // to proceed with the control of the credential }).catch(function (err) { console.error(err); }); specifications specification status comment web authentication: an api for accessing public key
credentials level 1the definition of ...
RTCPeerConnection.createOffer() - Web APIs
this will cause the returned offer to have different
credentials than those already in place.
...specify false to keep the same
credentials and therefore not restart ice.
RTCPeerConnection.setConfiguration() - Web APIs
exceptions invalidaccesserror one or more of the urls specified in configuration.iceservers is a turn server, but complete login information is not provided (that is, either the rtciceserver.username or rtciceserver.
credentials is missing).
... }] }; mypeerconnection.setconfiguration(restartconfig); mypeerconnection.createoffer({"icerestart": true}).then(function(offer) { return mypeerconnection.setlocaldescription(offer); }) .then(function() { // send the offer to the other peer using the signaling server }) .catch(reporterror); first, a new rtcconfiguration is created, restartconfig, specifying the new ice server and its
credentials.
Request() - Web APIs
credentials: the request
credentials you want to use for the request: omit, same-origin, or include.
... errors type description typeerror since firefox 43, request() will throw a typeerror if the url has
credentials, such as http://user:password@example.com.
SharedWorker() - Web APIs
credentials: a domstring specifying the type of
credentials to use for the worker.
...if not specified, or if type is classic, the default used is omit (no
credentials required).
Attestation and Assertion - Web APIs
testation, the only option for android devices was to create android safetynet attestations fido u2f - security keys that implement the fido u2f standard use this format none - browsers may prompt users whether they want a site to be allowed to see their attestation data and/or may remove attestation data from the authenticator's response if the `attestation` parameter in `navigator.
credentials.create()` is set to `none` the purpose of attestation is to cryptographically prove that a newly generated key pair came from a specific device.
...used by a service to give a scope to
credentials.
Worker() - Web APIs
credentials: a domstring specifying the type of
credentials to use for the worker.
...if not specified, or if type is classic, the default used is omit (no
credentials required).
XMLHttpRequest() - Web APIs
const request = new xmlhttprequest(paramsdictionary); parameters (non-standard) objparameters there are two flags you can set: mozanon boolean: setting this flag to true will cause the browser not to expose the origin and user
credentials when fetching resources.
...this can't be combined with sending cookies or other user
credentials.
Reason: CORS header 'Access-Control-Allow-Origin' missing - HTTP
in addition, the wildcard only works for requests made with the crossorigin attribute set to anonymous, and it prevents sending
credentials like cookies in requests.
... to allow any site to make cors requests without using the * wildcard (for example, to enable
credentials), your server must read the value of the request's origin header and use that value to set access-control-allow-origin, and must also set a vary: origin header to indicate that some headers are being set dynamically depending on the origin.
Access-Control-Allow-Headers - HTTP
* (wildcard) the value "*" only counts as a special wildcard value for requests without
credentials (requests without http cookies or http authentication information).
... in requests with
credentials, it is treated as the literal header name "*" without special semantics.
Access-Control-Allow-Methods - HTTP
* (wildcard) the value "*" only counts as a special wildcard value for requests without
credentials (requests without http cookies or http authentication information).
... in requests with
credentials, it is treated as the literal method name "*" without special semantics.
Access-Control-Allow-Origin - HTTP
header type response header forbidden header name no syntax access-control-allow-origin: * access-control-allow-origin: <origin> access-control-allow-origin: null directives * for requests without
credentials, the literal value "*" can be specified, as a wildcard; the value tells browsers to allow requesting code from any origin to access the resource.
... attempting to use the wildcard with
credentials will result in an error.
Feature-Policy - HTTP
publickey-
credentials-get controls whether the current document is allowed to use the web authentication api to retreive already stored public-key
credentials, i.e.
... via navigator.
credentials.get({publickey: ..., ...}).
Insecure passwords - Web security
if a website uses http instead of https, it is trivial to steal user information (such as their login
credentials).
...web developers of the news site may be less motivated to secure their site and their user
credentials.
Types of attacks - Web security
this can be used, for example, to steal login
credentials or to get the user's unwitting permission to install a piece of malware.
... man-in-the-middle (mitm) a third party intercepts traffic between a web server and a client (browser), and impersonates the web server in order to capture data (such as login
credentials or credit card information).
HTTP Class Overview - Archive of obsolete content
ttpchunkeddecoder owned by a transaction strips chunked transfer encoding nshttprequesthead owns a nshttpheaderarray knows how to fill a request buffer nshttpresponsehead owns a nshttpheaderarray knows how to parse response lines performs common header manipulations/calculations nshttpheaderarray stores http "<header>:<value>" pairs nshttpauthcache stores authentication
credentials for http auth domains nshttpbasicauth implements nsihttpauthenticator generates basic auth
credentials from user:pass nshttpdigestauth implements nsihttpauthenticator generates digest auth
credentials from user:pass original document information author(s): darin fisher last updated date: august 5, 2002 copyright information: portions of this content are © 1998–2007 by indiv...
mozbrowserusernameandpasswordrequired
the embedder is supposed to retrieve the necessary
credentials, usually using a dialog or a database of username/passwords, and then call authenticate() or cancel() as appropriate.
SVN for Localizers
since you are writing to the repository here, you will be asked for your ldap login
credentials.
NSS 3.45 release notes
notable changes in nss 3.45 bug 1540403 - implement delegated
credentials (draft-ietf-tls-subcerts) this adds a new experimental function: ssl_delegatecredential note: in 3.45, selfserv does not yet support delegated
credentials.
NSS 3.46 release notes
563258 - fips.sh fails due to non-existent "resp" directories bug 1561598 - remove -wmaybe-uninitialized warning in pqg.c bug 1560806 - increase softoken password max size to 500 characters bug 1568776 - output paths relative to repository in nss coverity bug 1453408 - modutil -changepw fails in fips mode if password is an empty string bug 1564727 - use a pss spki when possible for delegated
credentials bug 1493916 - fix ppc64 inline assembler for clang bug 1561588 - remove -wmaybe-uninitialized warning in p7env.c bug 1561548 - remove -wmaybe-uninitialized warning in pkix_pl_ldapdefaultclient.c bug 1512605 - incorrect alert description after unencrypted finished msg bug 1564715 - read /proc/cpuinfo when at_hwcap2 returns 0 bug 1532194 - remove or fix -ddebug_$user from make builds bug 156...
Secure Development Guidelines
in an unsigned int if the input doesn’t have to be > 512, cut it off there if the input should only be [a-za-z0-9], enforce it cross site scripting (xss) xss is a type of code injection attack typically occurs in web applications injection of arbitrary data into an html document from another site victim’s browser executes those html instructions could be used to steal user
credentials think: webmail, online auction, cms, online banking...
imgILoader
loadflags aloadflags, in nsisupports cachekey, in imgirequest arequest, in nsichannelpolicy channelpolicy); imgirequest loadimagewithchannel(in nsichannel achannel, in imgidecoderobserver aobserver, in nsisupports cx, out nsistreamlistener alistener); boolean supportimagewithmimetype(in string mimetype); constants constant value description load_cors_anonymous 1 << 16 load_cors_use_
credentials 1 << 17 methods loadimage() start the load and decode of an image.
imgIRequest
cors_anonymous 2 cors_use_
credentials 3 methods cancelandforgetobserver() cancels this request as in nsirequest.cancel(); further, also nulls out decoderobserver so it gets no further notifications from us.
nsISocketProvider
anonymous_connect 1 << 1 when setting this flag, the socket will not apply any
credentials when establishing a connection.
nsISocketTransport
anonymous_connect 1 when this flag is set, the socket will not apply any
credentials when establishing a connection.
EventSource() - Web APIs
the possible entries are: with
credentials, defaulting to false, indicating if cors should be set to include
credentials.
Navigator - Web APIs
navigator.
credentials returns the
credentialscontainer interface which exposes methods to request
credentials and notify the user agent when interesting events occur such as successful sign in or sign out.
PaymentResponse.complete() - Web APIs
var payment = new paymentrequest(supportedinstruments, details, options); payment.show().then(function(paymentresponse) { var fetchoptions = { method: 'post',
credentials: include, body: json.stringify(paymentresponse) }; var serverpaymentrequest = new request('secure/payment/endpoint'); fetch(serverpaymentrequest, fetchoptions).then( response => { if (response.status < 400) { paymentresponse.complete("success"); } else { paymentresponse.complete("fail"); }; }).catch( reason => { paymentresponse.complete("fail"); }); }).ca...
Using the Payment Request API - Web APIs
in the following snippet we do just this — depending on whether the user can make a fast payment or needs to add payment
credentials first, the title of the checkout button changes between "fast checkout with w3c" and "setup w3c checkout".
PublicKeyCredential.isUserVerifyingPlatformAuthenticatorAvailable() - Web APIs
ed with the creation of a publickeycredential // with this authenticator } else { // use another kind of authenticator or a classical login/password // workflow } }).catch(function(err){ // something went wrong console.error(err); }); specifications specification status comment web authentication: an api for accessing public key
credentials level 1the definition of 'isuserverifyingplatformauthenticatoravailable' in that specification.
PublicKeyCredentialCreationOptions.attestation - Web APIs
attestation: "indirect", challenge: new uint8array(26) /* this actually is given from the server */, rp: { name: "example corp", id : "login.example.com" }, user: { id: new uint8array(26), /* to be changed for each user */ name: "jdoe@example.com", displayname: "john doe", }, pubkeycredparams: [ { type: "public-key", alg: -7 } ] }; navigator.
credentials.create({ publickey }) .then(function (newcredentialinfo) { // send attestation response and client extensions // to the server to proceed with the registration // of the credential }).catch(function (err) { console.error(err); }); specifications specification status comment web authentication: an api for accessing public key
credentials level 1...
PublicKeyCredentialCreationOptions.authenticatorSelection - Web APIs
userverification: "required" }, challenge: new uint8array(26) /* this actually is given from the server */, rp: { name: "example corp", id : "login.example.com" }, user: { id: new uint8array(26), /* to be changed for each user */ name: "jdoe@example.com", displayname: "john doe", }, pubkeycredparams: [ { type: "public-key", alg: -7 } ] }; navigator.
credentials.create({ publickey }) .then(function (newcredentialinfo) { // send attestation response and client extensions // to the server to proceed with the registration // of the credential }).catch(function (err) { console.error(err); }); specifications specification status comment web authentication: an api for accessing public key
credentials level 1...
PublicKeyCredentialCreationOptions.pubKeyCredParams - Web APIs
ot, then we will fallback on an rsa algorithm { type: "public-key", alg: -37 } ], challenge: new uint8array(26) /* this actually is given from the server */, rp: { name: "example corp", id : "login.example.com" }, user: { id: new uint8array(26), /* to be changed for each user */ name: "jdoe@example.com", displayname: "john doe", } }; navigator.
credentials.create({ publickey }) .then(function (newcredentialinfo) { // send attestation response and client extensions // to the server to proceed with the registration // of the credential }).catch(function (err) { console.error(err); }); specifications specification status comment web authentication: an api for accessing public key
credentials level 1...
Using server-sent events - Web APIs
for example, assuming the client script is on example.com: const evtsource = new eventsource("//api.example.com/ssedemo.php", { with
credentials: true } ); once you've instantiated your event source, you can begin listening for messages from the server by attaching a handler for the message event: evtsource.onmessage = function(event) { const newelement = document.createelement("li"); const eventlist = document.getelementbyid("list"); newelement.innerhtml = "message: " + event.data; eventlist.appendchild(newelement); } this c...
XMLHttpRequest - Web APIs
xmlhttprequest.with
credentials is a boolean that indicates whether or not cross-site access-control requests should be made using
credentials such as cookies or authorization headers.
Web APIs
canvaspattern canvasrenderingcontext2d caretposition channelmergernode channelsplitternode characterdata childnode client clients clipboard clipboardevent clipboarditem closeevent comment compositionevent constantsourcenode constrainboolean constraindomstring constraindouble constrainulong contentindex contentindexevent convolvernode countqueuingstrategy crashreportbody credential
credentialscontainer crypto cryptokey cryptokeypair customelementregistry customevent d domconfiguration domerror domexception domhighrestimestamp domimplementation domimplementationlist domlocator dommatrix dommatrixreadonly domobject domparser dompoint dompointinit dompointreadonly domquad domrect domrectreadonly domstring domstringlist domstringmap domtimestamp domtokenlist domuserdata ...
CORS errors - HTTP
not http reason: cors header ‘access-control-allow-origin’ missing reason: cors header ‘access-control-allow-origin’ does not match ‘xyz’ reason: credential is not supported if the cors header ‘access-control-allow-origin’ is ‘*’ reason: did not find method in cors header ‘access-control-allow-methods’ reason: expected ‘true’ in cors header ‘access-control-allow-
credentials’ reason: cors preflight channel did not succeed reason: invalid token ‘xyz’ in cors header ‘access-control-allow-methods’ reason: invalid token ‘xyz’ in cors header ‘access-control-allow-headers’ reason: missing token ‘xyz’ in cors header ‘access-control-allow-headers’ from cors preflight channel reason: multiple cors header ‘access-control-allow-origin’ not all...
401 Unauthorized - HTTP
the http 401 unauthorized client error status response code indicates that the request has not been applied because it lacks valid authentication
credentials for the target resource.
407 Proxy Authentication Required - HTTP
the http 407 proxy authentication required client error status response code indicates that the request has not been applied because it lacks valid authentication
credentials for a proxy server that is between the browser and the server that can access the requested resource.
Grammar and types - JavaScript
// multiline strings `in javascript, template strings can run over multiple lines, but double and single quoted strings cannot.` // string interpolation var name = 'bob', time = 'today'; `hello ${name}, how are you ${time}?` // construct an http request prefix used to interpret the replacements and construction post`http://foo.org/bar?a=${a}&b=${b} content-type: application/json x-
credentials: ${
credentials} { "foo": ${foo}, "bar": ${bar}}`(myonreadystatechangehandler); you should use string literals unless you specifically need to use a string object.
Web app manifests
note: if the manifest requires
credentials to fetch - the crossorigin attribute must be set to use-
credentials, even if the manifest file is in the same origin as the current page.
Mixed content - Web security
malicious active content can steal the user's
credentials, acquire sensitive data about the user, or attempt to install malware on the user's system (by leveraging vulnerabilities in the browser or its plugins, for example).