Suggesting POST option for the raplet protocol

25 views
Skip to first unread message

Tarun Pondicherry

unread,
Sep 13, 2011, 3:53:54 PM9/13/11
to raple...@googlegroups.com
Hi,

I think there should also be a POST version of the raplet protocol so using https would encrypt the email addresses being queried.

Tarun

Sam Stokes

unread,
Sep 13, 2011, 9:57:43 PM9/13/11
to raple...@googlegroups.com
Hi Tarun, as I'm sure you know, HTTPS encrypts the entire request,
including the URL and any request data. So there's actually no
difference in security between a GET request and a POST request: in
both cases, using HTTPS prevents an attacker from listening in on the
request by sniffing network traffic. (If you're using plain
unencrypted HTTP, POST provides no more protection.)

You might be seeing email addresses from Raplet requests in your logs:
some HTTP servers, proxies and web frameworks log the entire URL,
including query parameters, for each incoming request. It's true that
putting the email addresses in the body of a POST request instead of
the query parameters of a GET request would stop these servers from
logging the data, but it should also be possible to configure them to
strip out the query parameters from the URL before logging. (e.g.
Rails has filter_parameters where you can specify parameters you want
to strip out.)

Unfortunately it's hard for us to use POST for Raplet requests,
because the request is originating from mail.google.com but going to
your.raplet.domain.com, so the browser will disallow it; we use JSONP
to get around the cross-domain restriction, but JSONP only supports
GET requests. One day we might use CORS
(http://en.wikipedia.org/wiki/Cross-Origin_Resource_Sharing), which
supports POST requests, instead of JSONP for Raplet requests, but that
would require Raplet authors to implement support for CORS on the
server side, and not all web frameworks support it yet.

Does that make sense?
--
Sam Stokes
CTO, Rapportive

@samstokes
http://rapportive.com
http://www.samstokes.co.uk

On 13 September 2011 12:53, Tarun Pondicherry

> --
> You received this message because you are subscribed to the Google
> Groups "Raplet developer discussion list" group.
> To post to this group, send email to raple...@googlegroups.com
> To unsubscribe from this group, send email to
> raplet-dev+...@googlegroups.com
> For more options, visit this group at
> http://groups.google.com/group/raplet-dev?hl=en
>

Reply all
Reply to author
Forward
0 new messages