-
Laurent Wouters authored
The current protocol for signed request requires the use of the Date HTTP header. Although this works fine for clients that have full control over the HTTP headers they send, this is not working in the context of web browser where the Date HTTP headers are forbidden to be programmatically set (and therefore used in any meaningful way) https://developer.mozilla.org/en-US/docs/Glossary/Forbidden_header_name In general, this change enables the specification of a prioritized list of alternative for headers. In particular for the Date header, this change specifies a the list ['X-Cubicweb-Date', 'Date'] as an alternative to the Date header; meaning that when looking for the Date header, one should first look at the X-Cubicweb-Date header, and then if not present at the Date header. Doing so, it should be possible to emit signed requests from the context of a browser by specifying a X-Cubicweb-Date header, overriding the Date header that the browser may or may not set by itself.
f90a9c36135c