Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Accept both date and x-date for skew checks #20

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Accept both date and x-date for skew checks #20

wants to merge 1 commit into from

Conversation

grischal
Copy link

@grischal grischal commented Nov 6, 2018

Most browsers (tested on Firefox 60.2.0esr, Chrome 70.0.3538.77) do not automatically include date in the HTTP header (and forbid date to be changed/added programmatically). Therefore, Hmmac in its current form cannot be used with skew check, increasing the chance for replay attacks.
I modified lib/hmmac.js to also consider the 'x-date' header for skew check in case 'date' is not set.
Would be great to get this into the library (which I otherwise like a lot) - I hope it's still somewhat maintained.

Cheers,
Grischa

@cmawhorter
Copy link
Owner

thanks for submitting. i'll take a look.

I hope it's still somewhat maintained.

it's minimally maintained. i'm happy to review/merge prs and fix security issues, but don't have the time to dedicate to building new features or a new release myself.

@grischal
Copy link
Author

Hi! Did you have time to look at this pull request, or are you waiting for me to fix the checks on Travis?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@grischal @cmawhorter