svn commit: r705097 - in /incubator/shindig/trunk/java/gadgets/src: main/java/org/apache/shindig/gadgets/servlet/ProxyBase.java test/java/org/apache/shindig/gadgets/servlet/ProxyBaseTest.java

[et...@apache.org]

Author: etnu
Date: Wed Oct 15 16:29:26 2008
New Revision: 705097

URL: http://svn.apache.org/viewvc?rev=705097&view=rev
Log:
Skipped sending Content-Disposition headers for flash, which is breaking Flash 10. This reduces our phishing protection, which means that we'll need to come up with a better solution in the long term.


Modified:
    incubator/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/servlet/ProxyBase.java
    incubator/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/servlet/ProxyBaseTest.java

Modified: incubator/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/servlet/ProxyBase.java
URL: http://svn.apache.org/viewvc/incubator/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/servlet/ProxyBase.java?rev=705097&r1=705096&r2=705097&view=diff
==============================================================================
--- incubator/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/servlet/ProxyBase.java (original)
+++ incubator/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/servlet/ProxyBase.java Wed Oct 15 16:29:26 2008
@@ -24,9 +24,10 @@
 import org.apache.shindig.gadgets.GadgetException;
 import org.apache.shindig.gadgets.http.HttpResponse;
 
+import java.io.IOException;
+
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
-import java.io.IOException;
 
 /**
  * Base class for proxy-based handlers.
@@ -108,7 +109,12 @@
       refreshInterval = Math.max(60 * 60, (int)(results.getCacheTtl() / 1000L));
     }
     HttpUtil.setCachingHeaders(response, refreshInterval);
-    response.setHeader("Content-Disposition", "attachment;filename=p.txt");
+    // We're skipping the content disposition header for flash due to an issue with Flash player 10
+    // This does make some sites a higher value phishing target, but this can be mitigated by
+    // additional referer checks.
+    if (!"application/x-shockwave-flash".equalsIgnoreCase(results.getHeader("Content-Type"))) {
+      response.setHeader("Content-Disposition", "attachment;filename=p.txt");
+    }
   }
 
   /**

Modified: incubator/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/servlet/ProxyBaseTest.java
URL: http://svn.apache.org/viewvc/incubator/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/servlet/ProxyBaseTest.java?rev=705097&r1=705096&r2=705097&view=diff
==============================================================================
--- incubator/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/servlet/ProxyBaseTest.java (original)
+++ incubator/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/servlet/ProxyBaseTest.java Wed Oct 15 16:29:26 2008
@@ -18,20 +18,23 @@
  */
 package org.apache.shindig.gadgets.servlet;
 
-import com.google.common.collect.Maps;
+import static org.easymock.EasyMock.expect;
+
 import org.apache.shindig.common.ContainerConfig;
 import org.apache.shindig.common.uri.Uri;
 import org.apache.shindig.gadgets.GadgetException;
 import org.apache.shindig.gadgets.http.HttpResponse;
 import org.apache.shindig.gadgets.http.HttpResponseBuilder;
-import static org.easymock.EasyMock.expect;
 
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
+import com.google.common.collect.Maps;
+
 import java.util.Arrays;
 import java.util.List;
 import java.util.Map;
 
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
 /**
  * Tests for ProxyBase.
  */
@@ -145,6 +148,22 @@
     assertEquals("attachment;filename=p.txt", recorder.getHeader("Content-Disposition"));
   }
 
+  public void testSetResponseHeadersForFlash() {
+    HttpResponse results = new HttpResponseBuilder()
+        .setHeader("Content-Type", "application/x-shockwave-flash")
+        .create();
+
+    replay();
+
+    proxy.setResponseHeaders(request, recorder, results);
+
+    // Just verify that they were set. Specific values are configurable.
+    assertNotNull("Expires header not set", recorder.getHeader("Expires"));
+    assertNotNull("Cache-Control header not set", recorder.getHeader("Cache-Control"));
+    assertNull("Content-Disposition header set for flash",
+        recorder.getHeader("Content-Disposition"));
+  }
+
   public void testSetResponseHeadersNoCache() {
     Map<String, List<String>> headers = Maps.newTreeMap(String.CASE_INSENSITIVE_ORDER);
     headers.put("Pragma", Arrays.asList("no-cache"));