Dylan Ayrey
Dylan Ayrey
The user_hash is not stored anywhere, at any time. In the event of a database breach, you do not obtain values that help you to log into anything. Contrasted with...
You can capture the hash if you have a passive man in the middle, and replay it. That's correct. That doesn't contradict what's in the readme, you don't get the...
Yeah, that's what I put the disclaimer at the top for. That said, I appreciate that this safety net exists, for new developers that don't know about CSRF, but I...
I think they've been sloppy because they don't realize the whole picture, which is all I've tried to do here; paint the picture. I wrote this blog post more for...
Hmmm the bucket seems a little tricky in some cases. Would it make more sense to just have the startup script run a simple python server on port 80 that...
What if the data was brokered through the compute metadata? That should be available, and if you could land a startup script you should have permissions to it already.
Oh I guess not all the instances will have permission to the metadata though
Hrm... the only thing with the bucket is there's an action the user has to take to explicitly add the service account to it. Maybe a big message when you...
> A quick note -- I would imagine that if I were a user, I would just make the bucket publically writable but not readable, i.e. giving Storage Object Creator...
Ahh nice. Another question, I notice the bucket currently needs to be hard coded into the source and modified by the user, but this workflow is difficult particularly from folks...