Pass SAS Token in Authorization header
It should be possible to pass a SAS Token in the Authorization header when accessing Azure Storage resources. It's more a secure and generally better design than passing SAS token as an URI parameter.
Currently (see linked docs for ref) when using SAS Token it have to be passed in the URI as a parameter.
I think such approach is less secure insecure: even when using HTTPS URI parameter is possible to be intercepted:
- server can save it in request log
- browser can save it in browsing history and it's possible to read it from history - by manually opening history or browser extension can read it
- some browesr extensins read URLs and store them - also such URI with secret provided as URI parameter can be sent to extension developer.
Additonally forcing to provide secret as a URI parameter lead to bad design decisions ie.
In Microsoft Office 365 Security & Compliance Azure Storage with SAS Tokens are used for Export/Import data from Office 365 feature (ie. user mailboxes PST files from/to Exchange Online). Preparing PST for export and importing PST takes time - 2-3 days in some cases. During this time SAS Token is vail and if intercetped can be used by attacker/undesirable person to steal often sensitive data.