René's URL Explorer Experiment

{"@context":"https://schema.org","@type":"DiscussionForumPosting","headline":"Fix WebID+TLS login for cross-domain","articleBody":"**Current situation**\r\n- The first time the user makes a request with a client certificate, the WebID is verified (takes a bit of time).\r\n- A cookie is set to remember that verification (saves that time).\r\n- Subsequent requests from the domain of the data pod use that cookie.\r\n- This cookie is rejected for request from third-party domains for security reasons (#526).\r\n\r\n**Old behavior**\r\n- The old behavior (pre-#526) was that the cookie was also accepted with request from third-party domains.\r\n- However, this meant that, after you had logged in on your own pod, any random website could send authenticated requests to your pod without your permission. The user could cancel the client certificate prompt, but the request would still go through, as the cookie was already in place.\r\n\r\n**Suggested new behavior**\r\n- The client certificate should be verified per domain. (Verification can however be cached to speed things up.)\r\n\r\nWhen this is fixed, Warp should work again.","author":{"url":"https://github.com/RubenVerborgh","@type":"Person","name":"RubenVerborgh"},"datePublished":"2018-06-15T07:25:12.000Z","interactionStatistic":{"@type":"InteractionCounter","interactionType":"https://schema.org/CommentAction","userInteractionCount":1},"url":"https://github.com/710/node-solid-server/issues/710"}