Well, this week would not be a very vuetiful chapter, as I’m starting to work on the programming of firmware into the board. Just to recap, the procedure of downloading the firmware into the board is done through a sequence of HTTP requests, mainly revolving around DELETE, PUT requests and also OPTION requests as part of the CORS protocol. The server running in the board would use OPTION requests as an indication to enter into programming mode which would process the next request as a programming operation (i.e DELETE or PUT). As such, it is possible for an intruder to employ malicious attempts like replay attacks between the time of the OPTION request and a subsequent programming operation, therefore each programming operation is accompanied with a HOTP token to prevent such attacks.
One way of doing it is through URL redirection using 3XX HTTP status codes. The application server responds with a 3XX status code to the browser, which would automatically redirect its request through another URL provided in the Location header of the response, i.e the board’s URL in this case. There are quite a few different 3XX status code, each serving a different purpose, but what we would be using is 307 Temporary direct, as it preserves the request method even after redirection. Some of the status codes would actually change the request to a GET request after redirection.
To test things out first, I just have a DELETE button in the user interface, which when I click would trigger the DELETE request. Now this seems all fine and dandy, but as you know things don’t always go your way. For some reason, I couldn’t get automatic redirection to work in Firefox. I have read the RFC document as well as other sources of information to ensure I’m not missing out anything and also searching all over the internet to find out why does Firefox behave this way, but its to no avail. On the other hand, automatic URL redirection works as expected in Google Chrome, which only makes me question more about Firefox’s special case. Unfortunately, because of this I would have to manually send the request in the browser from now on. It won’t be as nice as URL redirection but as long as I could get it to work.