Advertisement
by Auralia » Fri Jan 13, 2017 8:30 pm
by Greater Tern » Fri Jan 13, 2017 9:26 pm
Auralia wrote:[violet], would it be possible to add a private shard that simply resets the CTE timer for a nation? I'd like to write a web-based autologin script, but the main NationStates website doesn't (and shouldn't) support CORS requests. As it stands I can make the request (using hidden POST form hackery) but I can't examine it to verify that it succeeded. A dedicated API call would solve that problem.
by Imperium Anglorum » Fri Jan 13, 2017 9:38 pm
Auralia wrote:[violet], would it be possible to add a private shard that simply resets the CTE timer for a nation? I'd like to write a web-based autologin script, but the main NationStates website doesn't (and shouldn't) support CORS requests. As it stands I can make the request (using hidden POST form hackery) but I can't examine it to verify that it succeeded. A dedicated API call would solve that problem.
by Auralia » Sat Jan 14, 2017 9:57 am
Greater Tern wrote:I think any of the private shards reset the CTE timer when accessed, since using them counts as a login.
Imperium Anglorum wrote:V, will there be a way to restore nations via the API, or will that have to be done via interaction with the site?
by [violet] » Sat Jan 14, 2017 9:31 pm
Auralia wrote:[violet], would you mind adding CORS support to the private shards API? I believe you would need to add "Password", "Pin", and "Autologin" to an "Access-Control-Allow-Headers" header in API responses.
by Auralia » Sun Jan 15, 2017 9:02 am
[violet] wrote:Auralia wrote:[violet], would you mind adding CORS support to the private shards API? I believe you would need to add "Password", "Pin", and "Autologin" to an "Access-Control-Allow-Headers" header in API responses.
People have asked for CORS stuff before but I've never been able to figure it out with enough confidence to feel like I know what I'm doing.
Can your script not see whether the request returns HTTP 200 vs 403/509?
Fetch API cannot load https://www.nationstates.net/cgi-bin/ap ... uralia&v=9. Request header field password is not allowed by Access-Control-Allow-Headers in preflight response.
by [violet] » Sun Jan 15, 2017 4:13 pm
by Imperium Anglorum » Sun Jan 15, 2017 9:25 pm
by Auralia » Mon Jan 16, 2017 12:39 pm
[violet] wrote:The part I have trouble with is I know this security model exists for a reason, and when I start creating exceptions, I'm unclear on the security implications of the holes I just poked in it.
I can certainly see it's handy for third-party scripts to be able to make cross-domain requests and read the return data. But what class of attacks does enabling "Access-Control-Allow-Headers" allow? There must be some, or it wouldn't exist.
by Caelapes » Mon Jan 16, 2017 12:41 pm
Auralia wrote:Moreover, the private shards do not rely on cookies for authentication, so a malicious website can't masquerade as the user unless the user actually provides them with their password.
by Auralia » Mon Jan 16, 2017 2:58 pm
Caelapes wrote:Auralia wrote:Moreover, the private shards do not rely on cookies for authentication, so a malicious website can't masquerade as the user unless the user actually provides them with their password.
I'm pretty sure you can use private shards with a login token/PIN (I forget the exact term - it's been a while since I've looked at the private shards) which is identical to the one stored in your cookies for auto-login.
by [violet] » Mon Jan 16, 2017 4:34 pm
Auralia wrote:This attack doesn't really make sense in the context of the NationStates API, though. Most of the shards are public, so it doesn't matter who accesses them. Moreover, the private shards do not rely on cookies for authentication, so a malicious website can't masquerade as the user unless the user actually provides them with their password.
Auralia wrote:Per the API documentation, the request authentication headers for private shards are "Pin", "Password" and "Autologin", which are not prefaced with "X-". However, the response uses the header "X-Pin".
by Auralia » Mon Jan 16, 2017 6:32 pm
[violet] wrote:Auralia wrote:This attack doesn't really make sense in the context of the NationStates API, though. Most of the shards are public, so it doesn't matter who accesses them. Moreover, the private shards do not rely on cookies for authentication, so a malicious website can't masquerade as the user unless the user actually provides them with their password.
That much I understand, but not why the ability to post headers is also denied by default. That doesn't have anything to do with cookies yet has apparently been deemed risky enough to block by browser vendors.
by Auralia » Thu Jan 19, 2017 6:43 am
by Really stateless nation » Fri Jan 20, 2017 6:03 am
by Greater Tern » Fri Jan 20, 2017 2:30 pm
Really stateless nation wrote:Is there any API to get (anti-)top N countries from non-today World Census? For example, I can want to get names of top 10 countries for Corruption and names of anti-top 7 countries for Nudity (i.e. 7 countries with the most clothed citizens).
by Imperium Anglorum » Mon Jan 23, 2017 9:27 am
https://www.nationstates.net/cgi-bin/api.cgi?nation=imperium_anglorum&q=endorsements
https://www.nationstates.net/cgi-bin/api.cgi?nation=imperium_anglorum+alsted&q=endorsements
by [violet] » Mon Jan 23, 2017 3:57 pm
Imperium Anglorum wrote:So one can query multiple nations for the same shard?
by Imperium Anglorum » Mon Jan 23, 2017 4:33 pm
by Agadar » Tue Jan 24, 2017 11:00 am
[violet] wrote:"beforetime" and "sincetime" parameters are now supported in the Happenings API. See the doc for examples.
by Trotterdam » Tue Jan 24, 2017 12:26 pm
7 days, as you probably suspected from that date.Agadar wrote:for how long are happenings stored for?
by Agadar » Tue Jan 24, 2017 12:31 pm
by Imperium Anglorum » Tue Jan 24, 2017 2:08 pm
Agadar wrote:That's real disappointing to learn, as this means I can't make regional rankings of nations with the most endorsements given, as there is no other way for me to find out who endorsed who during a specific period of time outside of happenings, which are apparently limited to up to 7 days ago.
Advertisement
Users browsing this forum: Leutria
Advertisement