You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@shindig.apache.org by Dan Dumont <dd...@us.ibm.com> on 2011/09/22 22:55:37 UTC
Review Request: Locked domain cleanup and shared-domain-locking feature
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/2025/
-----------------------------------------------------------
Review request for shindig, johnfargo, Ryan Baxter, and Stanton Sievers.
Summary
-------
Sorry for the crazy diffs here. Much stuff has moved around.
This is the cleanup part of the patch, I want a few good eyes first before I move on to the feature work.
Some highlights:
* org.apache.shindig.gadgets.uri.DefaultIframeUriManager
Nearly everything relating to locked domains has been moved to org.apache.shindig.gadgets.LockedDomainService
Removed validation on uri for locked domains from this class. It was never actually used.
* org.apache.shindig.gadgets.uri.ProxyUriBase
Removed check for INVALID_DOMAIN, nothing in the code paths leading there ever set that status.
* org.apache.shindig.gadgets.uri.UriStatus
Removed INVALID_DOMAIN, it was not used anymore. This class seems more focused on caching anyway.
* org.apache.shindig.gadgets.HashLockedDomainService
Implemented new methods added to interface. Renamed some methods for clarity and java convention.
Augmented some existing implementation from code that used to be in
org.apache.shindig.gadgets.uri.DefaultIframeUriManager
Diffs
-----
http://svn.apache.org/repos/asf/shindig/trunk/config/container.js 1174376
http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/HashLockedDomainService.java 1174376
http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/LockedDomainService.java 1174376
http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/servlet/ProxyHandler.java 1174376
http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/uri/DefaultIframeUriManager.java 1174376
http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/uri/ProxyUriBase.java 1174376
http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/uri/UriStatus.java 1174376
http://svn.apache.org/repos/asf/shindig/trunk/php/test/gadgets/ContainerConfigTest.php 1174376
Diff: https://reviews.apache.org/r/2025/diff
Testing
-------
Thanks,
Dan
Re: Review Request: Locked domain cleanup and shared-domain-locking feature
Posted by Stanton Sievers <si...@gmail.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/2025/#review2028
-----------------------------------------------------------
The first pass of this looks ok.
http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/HashLockedDomainService.java
<https://reviews.apache.org/r/2025/#comment4576>
What are these comments commenting? The "isHostUsingLockedDomain" call? Doesn't seem likely...
http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/HashLockedDomainService.java
<https://reviews.apache.org/r/2025/#comment4577>
DefaultIFrameUriManager had some comments about overriding to implement custom behavior. Let's add that back in.
http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/HashLockedDomainService.java
<https://reviews.apache.org/r/2025/#comment4578>
This was because %authority% was being replaced with the locked-domain, right? That is, the authority value had the hash prefix in it?
- Stanton
On 2011-09-22 20:55:37, Dan Dumont wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/2025/
> -----------------------------------------------------------
>
> (Updated 2011-09-22 20:55:37)
>
>
> Review request for shindig, johnfargo, Ryan Baxter, and Stanton Sievers.
>
>
> Summary
> -------
>
> Sorry for the crazy diffs here. Much stuff has moved around.
> This is the cleanup part of the patch, I want a few good eyes first before I move on to the feature work.
>
> Some highlights:
>
> * org.apache.shindig.gadgets.uri.DefaultIframeUriManager
> Nearly everything relating to locked domains has been moved to org.apache.shindig.gadgets.LockedDomainService
> Removed validation on uri for locked domains from this class. It was never actually used.
>
> * org.apache.shindig.gadgets.uri.ProxyUriBase
> Removed check for INVALID_DOMAIN, nothing in the code paths leading there ever set that status.
>
> * org.apache.shindig.gadgets.uri.UriStatus
> Removed INVALID_DOMAIN, it was not used anymore. This class seems more focused on caching anyway.
>
> * org.apache.shindig.gadgets.HashLockedDomainService
> Implemented new methods added to interface. Renamed some methods for clarity and java convention.
> Augmented some existing implementation from code that used to be in
> org.apache.shindig.gadgets.uri.DefaultIframeUriManager
>
>
> Diffs
> -----
>
> http://svn.apache.org/repos/asf/shindig/trunk/config/container.js 1174376
> http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/HashLockedDomainService.java 1174376
> http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/LockedDomainService.java 1174376
> http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/servlet/ProxyHandler.java 1174376
> http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/uri/DefaultIframeUriManager.java 1174376
> http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/uri/ProxyUriBase.java 1174376
> http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/uri/UriStatus.java 1174376
> http://svn.apache.org/repos/asf/shindig/trunk/php/test/gadgets/ContainerConfigTest.php 1174376
>
> Diff: https://reviews.apache.org/r/2025/diff
>
>
> Testing
> -------
>
>
> Thanks,
>
> Dan
>
>
Re: Review Request: Locked domain cleanup and shared-domain-locking feature
Posted by Dan Dumont <dd...@us.ibm.com>.
Done.
I was going to hold off, as this is very much in need of review first. The
feature work is to follow and I was going to create the JIRA then, but now
is fine.
From: Henry Saputra <he...@gmail.com>
To: dev@shindig.apache.org,
Date: 09/22/2011 05:22 PM
Subject: Re: Review Request: Locked domain cleanup and
shared-domain-locking feature
Dan,
Could you create a JIRA issue for this? This will help us to chase
down errors and patches history.
- Henry
On Thu, Sep 22, 2011 at 1:55 PM, Dan Dumont <dd...@us.ibm.com> wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/2025/
> -----------------------------------------------------------
>
> Review request for shindig, johnfargo, Ryan Baxter, and Stanton Sievers.
>
>
> Summary
> -------
>
> Sorry for the crazy diffs here. Much stuff has moved around.
> This is the cleanup part of the patch, I want a few good eyes first
before I move on to the feature work.
>
> Some highlights:
>
> * org.apache.shindig.gadgets.uri.DefaultIframeUriManager
> Nearly everything relating to locked domains has been moved to
org.apache.shindig.gadgets.LockedDomainService
> Removed validation on uri for locked domains from this class. It was
never actually used.
>
> * org.apache.shindig.gadgets.uri.ProxyUriBase
> Removed check for INVALID_DOMAIN, nothing in the code paths leading
there ever set that status.
>
> * org.apache.shindig.gadgets.uri.UriStatus
> Removed INVALID_DOMAIN, it was not used anymore. This class seems more
focused on caching anyway.
>
> * org.apache.shindig.gadgets.HashLockedDomainService
> Implemented new methods added to interface. Renamed some methods for
clarity and java convention.
> Augmented some existing implementation from code that used to be in
> org.apache.shindig.gadgets.uri.DefaultIframeUriManager
>
>
> Diffs
> -----
>
> http://svn.apache.org/repos/asf/shindig/trunk/config/container.js
1174376
>
http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/HashLockedDomainService.java
1174376
>
http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/LockedDomainService.java
1174376
>
http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/servlet/ProxyHandler.java
1174376
>
http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/uri/DefaultIframeUriManager.java
1174376
>
http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/uri/ProxyUriBase.java
1174376
>
http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/uri/UriStatus.java
1174376
>
http://svn.apache.org/repos/asf/shindig/trunk/php/test/gadgets/ContainerConfigTest.php
1174376
>
> Diff: https://reviews.apache.org/r/2025/diff
>
>
> Testing
> -------
>
>
> Thanks,
>
> Dan
>
>
Re: Review Request: Locked domain cleanup and shared-domain-locking feature
Posted by Henry Saputra <he...@gmail.com>.
Dan,
Could you create a JIRA issue for this? This will help us to chase
down errors and patches history.
- Henry
On Thu, Sep 22, 2011 at 1:55 PM, Dan Dumont <dd...@us.ibm.com> wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/2025/
> -----------------------------------------------------------
>
> Review request for shindig, johnfargo, Ryan Baxter, and Stanton Sievers.
>
>
> Summary
> -------
>
> Sorry for the crazy diffs here. Much stuff has moved around.
> This is the cleanup part of the patch, I want a few good eyes first before I move on to the feature work.
>
> Some highlights:
>
> * org.apache.shindig.gadgets.uri.DefaultIframeUriManager
> Nearly everything relating to locked domains has been moved to org.apache.shindig.gadgets.LockedDomainService
> Removed validation on uri for locked domains from this class. It was never actually used.
>
> * org.apache.shindig.gadgets.uri.ProxyUriBase
> Removed check for INVALID_DOMAIN, nothing in the code paths leading there ever set that status.
>
> * org.apache.shindig.gadgets.uri.UriStatus
> Removed INVALID_DOMAIN, it was not used anymore. This class seems more focused on caching anyway.
>
> * org.apache.shindig.gadgets.HashLockedDomainService
> Implemented new methods added to interface. Renamed some methods for clarity and java convention.
> Augmented some existing implementation from code that used to be in
> org.apache.shindig.gadgets.uri.DefaultIframeUriManager
>
>
> Diffs
> -----
>
> http://svn.apache.org/repos/asf/shindig/trunk/config/container.js 1174376
> http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/HashLockedDomainService.java 1174376
> http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/LockedDomainService.java 1174376
> http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/servlet/ProxyHandler.java 1174376
> http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/uri/DefaultIframeUriManager.java 1174376
> http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/uri/ProxyUriBase.java 1174376
> http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/uri/UriStatus.java 1174376
> http://svn.apache.org/repos/asf/shindig/trunk/php/test/gadgets/ContainerConfigTest.php 1174376
>
> Diff: https://reviews.apache.org/r/2025/diff
>
>
> Testing
> -------
>
>
> Thanks,
>
> Dan
>
>
Re: Review Request: Locked domain cleanup and shared-domain-locking feature
Posted by Dan Dumont <dd...@us.ibm.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/2025/#review2038
-----------------------------------------------------------
Yes.
- Dan
On 2011-09-22 21:35:24, Dan Dumont wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/2025/
> -----------------------------------------------------------
>
> (Updated 2011-09-22 21:35:24)
>
>
> Review request for shindig, johnfargo, Ryan Baxter, and Stanton Sievers.
>
>
> Summary
> -------
>
> Sorry for the crazy diffs here. Much stuff has moved around.
> This is the cleanup part of the patch, I want a few good eyes first before I move on to the feature work.
>
> Some highlights:
>
> * org.apache.shindig.gadgets.uri.DefaultIframeUriManager
> Nearly everything relating to locked domains has been moved to org.apache.shindig.gadgets.LockedDomainService
> Removed validation on uri for locked domains from this class. It was never actually used.
>
> * org.apache.shindig.gadgets.uri.ProxyUriBase
> Removed check for INVALID_DOMAIN, nothing in the code paths leading there ever set that status.
>
> * org.apache.shindig.gadgets.uri.UriStatus
> Removed INVALID_DOMAIN, it was not used anymore. This class seems more focused on caching anyway.
>
> * org.apache.shindig.gadgets.HashLockedDomainService
> Implemented new methods added to interface. Renamed some methods for clarity and java convention.
> Augmented some existing implementation from code that used to be in
> org.apache.shindig.gadgets.uri.DefaultIframeUriManager
>
>
> This addresses bug SHINDIG-1628.
> https://issues.apache.org/jira/browse/SHINDIG-1628
>
>
> Diffs
> -----
>
> http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/HashLockedDomainService.java 1174376
> http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/LockedDomainService.java 1174376
> http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/servlet/ProxyHandler.java 1174376
> http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/uri/DefaultIframeUriManager.java 1174376
> http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/uri/ProxyUriBase.java 1174376
> http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/uri/UriStatus.java 1174376
> http://svn.apache.org/repos/asf/shindig/trunk/php/test/gadgets/ContainerConfigTest.php 1174376
> http://svn.apache.org/repos/asf/shindig/trunk/config/container.js 1174376
>
> Diff: https://reviews.apache.org/r/2025/diff
>
>
> Testing
> -------
>
>
> Thanks,
>
> Dan
>
>
Re: Review Request: Locked domain cleanup and shared-domain-locking feature
Posted by Ryan Baxter <rb...@gmail.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/2025/#review2048
-----------------------------------------------------------
LGTM
- Ryan
On 2011-09-22 21:35:24, Dan Dumont wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/2025/
> -----------------------------------------------------------
>
> (Updated 2011-09-22 21:35:24)
>
>
> Review request for shindig, johnfargo, Ryan Baxter, and Stanton Sievers.
>
>
> Summary
> -------
>
> Sorry for the crazy diffs here. Much stuff has moved around.
> This is the cleanup part of the patch, I want a few good eyes first before I move on to the feature work.
>
> Some highlights:
>
> * org.apache.shindig.gadgets.uri.DefaultIframeUriManager
> Nearly everything relating to locked domains has been moved to org.apache.shindig.gadgets.LockedDomainService
> Removed validation on uri for locked domains from this class. It was never actually used.
>
> * org.apache.shindig.gadgets.uri.ProxyUriBase
> Removed check for INVALID_DOMAIN, nothing in the code paths leading there ever set that status.
>
> * org.apache.shindig.gadgets.uri.UriStatus
> Removed INVALID_DOMAIN, it was not used anymore. This class seems more focused on caching anyway.
>
> * org.apache.shindig.gadgets.HashLockedDomainService
> Implemented new methods added to interface. Renamed some methods for clarity and java convention.
> Augmented some existing implementation from code that used to be in
> org.apache.shindig.gadgets.uri.DefaultIframeUriManager
>
>
> This addresses bug SHINDIG-1628.
> https://issues.apache.org/jira/browse/SHINDIG-1628
>
>
> Diffs
> -----
>
> http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/HashLockedDomainService.java 1174376
> http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/LockedDomainService.java 1174376
> http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/servlet/ProxyHandler.java 1174376
> http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/uri/DefaultIframeUriManager.java 1174376
> http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/uri/ProxyUriBase.java 1174376
> http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/uri/UriStatus.java 1174376
> http://svn.apache.org/repos/asf/shindig/trunk/php/test/gadgets/ContainerConfigTest.php 1174376
> http://svn.apache.org/repos/asf/shindig/trunk/config/container.js 1174376
>
> Diff: https://reviews.apache.org/r/2025/diff
>
>
> Testing
> -------
>
>
> Thanks,
>
> Dan
>
>
Re: Review Request: Locked domain cleanup and shared-domain-locking feature
Posted by Dan Dumont <dd...@us.ibm.com>.
> On 2011-09-30 14:14:44, Jesse Ciancetta wrote:
> > http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/HashLockedDomainService.java, line 164
> > <https://reviews.apache.org/r/2025/diff/3/?file=45266#file45266line164>
> >
> > It looks like the logic in this method is now based on the logic you removed from DefaultIframeUriManager.validateRenderingUri(...) -- however that logic doesn't seem to cover all the cases the old logic used to cover. For example -- with your new logic it's possible to render a gadget on an unlocked domain even if the container config requires locked domain for all gadgets or if the gadget itself requests locked domain in its features or via a transitive dependency.
> >
> > I suspect this is this where your follow on work is going to come in and further augment this logic to cover these cases as well as the additional functionality your adding -- is that right?
> >
> > If that's the case then I'd rather see a little more work in this patch to make it consistent with the old logic and see that committed separate from the new features -- then your follow on work will be easier for everyone to understand and review. It seems like this patch is close enough to ready to commit as is that it shouldn't be too difficult to break up the work.
> >
> > FWIW -- the old logic updated to use your new method signatures seems right to me:
> >
> > public boolean gadgetCanRender(String host, Gadget gadget, String container) {
> > container = getContainer(container);
> > if (enabled) {
> > if (isGadgetReqestingLocking(gadget) ||
> > isHostUsingLockedDomain(host) ||
> > isDomainLockingEnforced(container)) {
> > String neededHost = getLockedDomain(gadget, container);
> > return host.equals(neededHost);
> > }
> > }
> > return true;
> > }
"If that's the case then I'd rather see a little more work in this patch to make it consistent with the old logic and see that committed separate from the new features -- then your follow on work will be easier for everyone to understand and review. It seems like this patch is close enough to ready to commit as is that it shouldn't be too difficult to break up the work."
I was too far along :) But I did make the changes you suggested.
- Dan
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/2025/#review2216
-----------------------------------------------------------
On 2011-09-30 19:56:46, Dan Dumont wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/2025/
> -----------------------------------------------------------
>
> (Updated 2011-09-30 19:56:46)
>
>
> Review request for shindig, Paul Lindner, johnfargo, Ryan Baxter, Jesse Ciancetta, and Stanton Sievers.
>
>
> Summary
> -------
>
> Sorry for the crazy diffs here. Much stuff has moved around.
> This is the cleanup part of the patch, I want a few good eyes first before I move on to the feature work.
>
> Some highlights:
>
> * org.apache.shindig.gadgets.uri.DefaultIframeUriManager
> Nearly everything relating to locked domains has been moved to org.apache.shindig.gadgets.LockedDomainService
> Removed validation on uri for locked domains from this class. It was never actually used.
>
> * org.apache.shindig.gadgets.uri.ProxyUriBase
> Removed check for INVALID_DOMAIN, nothing in the code paths leading there ever set that status.
>
> * org.apache.shindig.gadgets.uri.UriStatus
> Removed INVALID_DOMAIN, it was not used anymore. This class seems more focused on caching anyway.
>
> * org.apache.shindig.gadgets.HashLockedDomainService
> Implemented new methods added to interface. Renamed some methods for clarity and java convention.
> Augmented some existing implementation from code that used to be in
> org.apache.shindig.gadgets.uri.DefaultIframeUriManager
>
> For documentation purposes:
> I looked through what appears to be 3 proxies.
> * Content proxy - gadgets.io.getProxyUrl
> * makeRequest proxy - gadgets.io.makeRequest
> * RPC Proxy - osapi.http.get
>
> Content proxy denies all requests to a locked domain by default. It's assumed that it's configured on a url that would ensure it is only used for things like image or sctipt tags, etc.
>
> makeRequest does not appear to do any locked domain checking to make sure the gadget is valid for the locked domain. While it's reasonable to assume a malicious gadget will not use the locked domain url of another gadget, it's possible it could craft a request to the proxy on its own locked domain and forge the gadget passed in to appear as another gadget. I'll be making changes to this proxy to include locked domain validation.
>
> RPC Proxy appears to be made from the container on behalf of a gadget, the gadget passed in should be legitimate. I have not tried to make this request on a locked domain to see if the proxy will respond. (Gadget pretending to be the container making the request)
>
>
> This addresses bug SHINDIG-1628.
> https://issues.apache.org/jira/browse/SHINDIG-1628
>
>
> Diffs
> -----
>
> http://svn.apache.org/repos/asf/shindig/trunk/content/samplecontainer/examples/SharedLockedDomainDemo1.xml PRE-CREATION
> http://svn.apache.org/repos/asf/shindig/trunk/config/container.js 1177663
> http://svn.apache.org/repos/asf/shindig/trunk/content/samplecontainer/examples/SharedLockedDomainDemo2.xml PRE-CREATION
> http://svn.apache.org/repos/asf/shindig/trunk/features/src/main/javascript/features/shared-script-frame/shared-script-frame-container.js 1177663
> http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/GadgetException.java 1177663
> http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/HashLockedDomainService.java 1177663
> http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/LockedDomainService.java 1177663
> http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/oauth/GadgetOAuthCallbackGenerator.java 1177663
> http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/render/Renderer.java 1177663
> http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/servlet/MakeRequestHandler.java 1177663
> http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/servlet/ProxyHandler.java 1177663
> http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/uri/DefaultIframeUriManager.java 1177663
> http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/uri/HashShaLockedDomainPrefixGenerator.java 1177663
> http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/uri/LockedDomainPrefixGenerator.java 1177663
> http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/uri/ProxyUriBase.java 1177663
> http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/uri/UriStatus.java 1177663
> http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/HashLockedDomainServiceTest.java 1177663
> http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/oauth/GadgetOAuthCallbackGeneratorTest.java 1177663
> http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/render/RendererTest.java 1177663
> http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/servlet/MakeRequestHandlerTest.java 1177663
> http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/servlet/MakeRequestServletTest.java 1177663
> http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/servlet/ServletTestFixture.java 1177663
> http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/uri/DefaultIframeUriManagerTest.java 1177663
> http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/uri/HashShaLockedDomainPrefixGeneratorTest.java 1177663
> http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/uri/UriManagerTestBase.java 1177663
> http://svn.apache.org/repos/asf/shindig/trunk/php/test/gadgets/ContainerConfigTest.php 1177663
>
> Diff: https://reviews.apache.org/r/2025/diff
>
>
> Testing
> -------
>
>
> Thanks,
>
> Dan
>
>
Re: Review Request: Locked domain cleanup and shared-domain-locking feature
Posted by Jesse Ciancetta <jc...@mitre.org>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/2025/#review2216
-----------------------------------------------------------
Overall the patch looks pretty good to me -- it's nice to see the cleanup of the dead code in DefaultIframeUriManager and the duplicate properties in container.js.
The only issues I see are around the changes in HashLockedDomainService -- I've added detailed comments for those inline in the code.
http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/HashLockedDomainService.java
<https://reviews.apache.org/r/2025/#comment5148>
It looks like the logic in this method is now based on the logic you removed from DefaultIframeUriManager.validateRenderingUri(...) -- however that logic doesn't seem to cover all the cases the old logic used to cover. For example -- with your new logic it's possible to render a gadget on an unlocked domain even if the container config requires locked domain for all gadgets or if the gadget itself requests locked domain in its features or via a transitive dependency.
I suspect this is this where your follow on work is going to come in and further augment this logic to cover these cases as well as the additional functionality your adding -- is that right?
If that's the case then I'd rather see a little more work in this patch to make it consistent with the old logic and see that committed separate from the new features -- then your follow on work will be easier for everyone to understand and review. It seems like this patch is close enough to ready to commit as is that it shouldn't be too difficult to break up the work.
FWIW -- the old logic updated to use your new method signatures seems right to me:
public boolean gadgetCanRender(String host, Gadget gadget, String container) {
container = getContainer(container);
if (enabled) {
if (isGadgetReqestingLocking(gadget) ||
isHostUsingLockedDomain(host) ||
isDomainLockingEnforced(container)) {
String neededHost = getLockedDomain(gadget, container);
return host.equals(neededHost);
}
}
return true;
}
http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/HashLockedDomainService.java
<https://reviews.apache.org/r/2025/#comment5145>
Could the call to checkSuffix be done once when the suffix is loaded into the map instead of needing to be done for every request?
http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/HashLockedDomainService.java
<https://reviews.apache.org/r/2025/#comment5149>
Could the call to checkSuffix be done once when the suffix is loaded into the map instead of needing to be done for every request?
http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/HashLockedDomainService.java
<https://reviews.apache.org/r/2025/#comment5146>
This looks like it is supposed to be outside of the:
if (LOG.isLoggable(Level.WARNING)) {
...
}
block
- Jesse
On 2011-09-29 17:03:35, Dan Dumont wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/2025/
> -----------------------------------------------------------
>
> (Updated 2011-09-29 17:03:35)
>
>
> Review request for shindig, Paul Lindner, johnfargo, Ryan Baxter, Jesse Ciancetta, and Stanton Sievers.
>
>
> Summary
> -------
>
> Sorry for the crazy diffs here. Much stuff has moved around.
> This is the cleanup part of the patch, I want a few good eyes first before I move on to the feature work.
>
> Some highlights:
>
> * org.apache.shindig.gadgets.uri.DefaultIframeUriManager
> Nearly everything relating to locked domains has been moved to org.apache.shindig.gadgets.LockedDomainService
> Removed validation on uri for locked domains from this class. It was never actually used.
>
> * org.apache.shindig.gadgets.uri.ProxyUriBase
> Removed check for INVALID_DOMAIN, nothing in the code paths leading there ever set that status.
>
> * org.apache.shindig.gadgets.uri.UriStatus
> Removed INVALID_DOMAIN, it was not used anymore. This class seems more focused on caching anyway.
>
> * org.apache.shindig.gadgets.HashLockedDomainService
> Implemented new methods added to interface. Renamed some methods for clarity and java convention.
> Augmented some existing implementation from code that used to be in
> org.apache.shindig.gadgets.uri.DefaultIframeUriManager
>
> For documentation purposes:
> I looked through what appears to be 3 proxies.
> * Content proxy - gadgets.io.getProxyUrl
> * makeRequest proxy - gadgets.io.makeRequest
> * RPC Proxy - osapi.http.get
>
> Content proxy denies all requests to a locked domain by default. It's assumed that it's configured on a url that would ensure it is only used for things like image or sctipt tags, etc.
>
> makeRequest does not appear to do any locked domain checking to make sure the gadget is valid for the locked domain. While it's reasonable to assume a malicious gadget will not use the locked domain url of another gadget, it's possible it could craft a request to the proxy on its own locked domain and forge the gadget passed in to appear as another gadget. I'll be making changes to this proxy to include locked domain validation.
>
> RPC Proxy appears to be made from the container on behalf of a gadget, the gadget passed in should be legitimate. I have not tried to make this request on a locked domain to see if the proxy will respond. (Gadget pretending to be the container making the request)
>
>
> This addresses bug SHINDIG-1628.
> https://issues.apache.org/jira/browse/SHINDIG-1628
>
>
> Diffs
> -----
>
> http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/HashLockedDomainService.java 1174376
> http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/LockedDomainService.java 1174376
> http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/servlet/ProxyHandler.java 1174376
> http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/uri/DefaultIframeUriManager.java 1174376
> http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/uri/ProxyUriBase.java 1174376
> http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/uri/UriStatus.java 1174376
> http://svn.apache.org/repos/asf/shindig/trunk/php/test/gadgets/ContainerConfigTest.php 1174376
> http://svn.apache.org/repos/asf/shindig/trunk/config/container.js 1174376
>
> Diff: https://reviews.apache.org/r/2025/diff
>
>
> Testing
> -------
>
>
> Thanks,
>
> Dan
>
>
Re: Review Request: Locked domain cleanup and shared-domain-locking feature
Posted by Dan Dumont <dd...@us.ibm.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/2025/#review2219
-----------------------------------------------------------
http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/HashLockedDomainService.java
<https://reviews.apache.org/r/2025/#comment5151>
Excellent catch, thank you.
- Dan
On 2011-09-29 17:03:35, Dan Dumont wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/2025/
> -----------------------------------------------------------
>
> (Updated 2011-09-29 17:03:35)
>
>
> Review request for shindig, Paul Lindner, johnfargo, Ryan Baxter, Jesse Ciancetta, and Stanton Sievers.
>
>
> Summary
> -------
>
> Sorry for the crazy diffs here. Much stuff has moved around.
> This is the cleanup part of the patch, I want a few good eyes first before I move on to the feature work.
>
> Some highlights:
>
> * org.apache.shindig.gadgets.uri.DefaultIframeUriManager
> Nearly everything relating to locked domains has been moved to org.apache.shindig.gadgets.LockedDomainService
> Removed validation on uri for locked domains from this class. It was never actually used.
>
> * org.apache.shindig.gadgets.uri.ProxyUriBase
> Removed check for INVALID_DOMAIN, nothing in the code paths leading there ever set that status.
>
> * org.apache.shindig.gadgets.uri.UriStatus
> Removed INVALID_DOMAIN, it was not used anymore. This class seems more focused on caching anyway.
>
> * org.apache.shindig.gadgets.HashLockedDomainService
> Implemented new methods added to interface. Renamed some methods for clarity and java convention.
> Augmented some existing implementation from code that used to be in
> org.apache.shindig.gadgets.uri.DefaultIframeUriManager
>
> For documentation purposes:
> I looked through what appears to be 3 proxies.
> * Content proxy - gadgets.io.getProxyUrl
> * makeRequest proxy - gadgets.io.makeRequest
> * RPC Proxy - osapi.http.get
>
> Content proxy denies all requests to a locked domain by default. It's assumed that it's configured on a url that would ensure it is only used for things like image or sctipt tags, etc.
>
> makeRequest does not appear to do any locked domain checking to make sure the gadget is valid for the locked domain. While it's reasonable to assume a malicious gadget will not use the locked domain url of another gadget, it's possible it could craft a request to the proxy on its own locked domain and forge the gadget passed in to appear as another gadget. I'll be making changes to this proxy to include locked domain validation.
>
> RPC Proxy appears to be made from the container on behalf of a gadget, the gadget passed in should be legitimate. I have not tried to make this request on a locked domain to see if the proxy will respond. (Gadget pretending to be the container making the request)
>
>
> This addresses bug SHINDIG-1628.
> https://issues.apache.org/jira/browse/SHINDIG-1628
>
>
> Diffs
> -----
>
> http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/HashLockedDomainService.java 1174376
> http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/LockedDomainService.java 1174376
> http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/servlet/ProxyHandler.java 1174376
> http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/uri/DefaultIframeUriManager.java 1174376
> http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/uri/ProxyUriBase.java 1174376
> http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/uri/UriStatus.java 1174376
> http://svn.apache.org/repos/asf/shindig/trunk/php/test/gadgets/ContainerConfigTest.php 1174376
> http://svn.apache.org/repos/asf/shindig/trunk/config/container.js 1174376
>
> Diff: https://reviews.apache.org/r/2025/diff
>
>
> Testing
> -------
>
>
> Thanks,
>
> Dan
>
>
Re: Review Request: Locked domain cleanup and shared-domain-locking feature
Posted by Dan Dumont <dd...@us.ibm.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/2025/
-----------------------------------------------------------
(Updated 2011-10-03 19:58:37.102473)
Review request for shindig, Paul Lindner, johnfargo, Ryan Baxter, Jesse Ciancetta, and Stanton Sievers.
Changes
-------
removed @override annotations so java 1.5 won't break.
Summary
-------
Sorry for the crazy diffs here. Much stuff has moved around.
This is the cleanup part of the patch, I want a few good eyes first before I move on to the feature work.
Some highlights:
* org.apache.shindig.gadgets.uri.DefaultIframeUriManager
Nearly everything relating to locked domains has been moved to org.apache.shindig.gadgets.LockedDomainService
Removed validation on uri for locked domains from this class. It was never actually used.
* org.apache.shindig.gadgets.uri.ProxyUriBase
Removed check for INVALID_DOMAIN, nothing in the code paths leading there ever set that status.
* org.apache.shindig.gadgets.uri.UriStatus
Removed INVALID_DOMAIN, it was not used anymore. This class seems more focused on caching anyway.
* org.apache.shindig.gadgets.HashLockedDomainService
Implemented new methods added to interface. Renamed some methods for clarity and java convention.
Augmented some existing implementation from code that used to be in
org.apache.shindig.gadgets.uri.DefaultIframeUriManager
For documentation purposes:
I looked through what appears to be 3 proxies.
* Content proxy - gadgets.io.getProxyUrl
* makeRequest proxy - gadgets.io.makeRequest
* RPC Proxy - osapi.http.get
Content proxy denies all requests to a locked domain by default. It's assumed that it's configured on a url that would ensure it is only used for things like image or sctipt tags, etc.
makeRequest does not appear to do any locked domain checking to make sure the gadget is valid for the locked domain. While it's reasonable to assume a malicious gadget will not use the locked domain url of another gadget, it's possible it could craft a request to the proxy on its own locked domain and forge the gadget passed in to appear as another gadget. I'll be making changes to this proxy to include locked domain validation.
RPC Proxy appears to be made from the container on behalf of a gadget, the gadget passed in should be legitimate. I have not tried to make this request on a locked domain to see if the proxy will respond. (Gadget pretending to be the container making the request)
This addresses bug SHINDIG-1628.
https://issues.apache.org/jira/browse/SHINDIG-1628
Diffs (updated)
-----
http://svn.apache.org/repos/asf/shindig/trunk/config/container.js 1178412
http://svn.apache.org/repos/asf/shindig/trunk/content/samplecontainer/examples/SharedLockedDomainDemo1.xml PRE-CREATION
http://svn.apache.org/repos/asf/shindig/trunk/content/samplecontainer/examples/SharedLockedDomainDemo2.xml PRE-CREATION
http://svn.apache.org/repos/asf/shindig/trunk/features/src/main/javascript/features/shared-script-frame/shared-script-frame-container.js 1178412
http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/GadgetException.java 1178412
http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/HashLockedDomainService.java 1178412
http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/LockedDomainService.java 1178412
http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/oauth/GadgetOAuthCallbackGenerator.java 1178412
http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/render/Renderer.java 1178412
http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/servlet/MakeRequestHandler.java 1178412
http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/uri/DefaultIframeUriManager.java 1178412
http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/uri/HashShaLockedDomainPrefixGenerator.java 1178412
http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/uri/LockedDomainPrefixGenerator.java 1178412
http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/uri/ProxyUriBase.java 1178412
http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/uri/UriStatus.java 1178412
http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/HashLockedDomainServiceTest.java 1178412
http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/oauth/GadgetOAuthCallbackGeneratorTest.java 1178412
http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/render/RendererTest.java 1178412
http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/servlet/MakeRequestHandlerTest.java 1178412
http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/servlet/MakeRequestServletTest.java 1178412
http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/servlet/ServletTestFixture.java 1178412
http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/uri/DefaultIframeUriManagerTest.java 1178412
http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/uri/HashShaLockedDomainPrefixGeneratorTest.java 1178412
http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/uri/UriManagerTestBase.java 1178412
http://svn.apache.org/repos/asf/shindig/trunk/php/test/gadgets/ContainerConfigTest.php 1178412
Diff: https://reviews.apache.org/r/2025/diff
Testing
-------
Thanks,
Dan
Re: Review Request: Locked domain cleanup and shared-domain-locking feature
Posted by Dan Dumont <dd...@us.ibm.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/2025/
-----------------------------------------------------------
(Updated 2011-10-03 19:18:41.510554)
Review request for shindig, Paul Lindner, johnfargo, Ryan Baxter, Jesse Ciancetta, and Stanton Sievers.
Changes
-------
Updates for comments from Jesse
Summary
-------
Sorry for the crazy diffs here. Much stuff has moved around.
This is the cleanup part of the patch, I want a few good eyes first before I move on to the feature work.
Some highlights:
* org.apache.shindig.gadgets.uri.DefaultIframeUriManager
Nearly everything relating to locked domains has been moved to org.apache.shindig.gadgets.LockedDomainService
Removed validation on uri for locked domains from this class. It was never actually used.
* org.apache.shindig.gadgets.uri.ProxyUriBase
Removed check for INVALID_DOMAIN, nothing in the code paths leading there ever set that status.
* org.apache.shindig.gadgets.uri.UriStatus
Removed INVALID_DOMAIN, it was not used anymore. This class seems more focused on caching anyway.
* org.apache.shindig.gadgets.HashLockedDomainService
Implemented new methods added to interface. Renamed some methods for clarity and java convention.
Augmented some existing implementation from code that used to be in
org.apache.shindig.gadgets.uri.DefaultIframeUriManager
For documentation purposes:
I looked through what appears to be 3 proxies.
* Content proxy - gadgets.io.getProxyUrl
* makeRequest proxy - gadgets.io.makeRequest
* RPC Proxy - osapi.http.get
Content proxy denies all requests to a locked domain by default. It's assumed that it's configured on a url that would ensure it is only used for things like image or sctipt tags, etc.
makeRequest does not appear to do any locked domain checking to make sure the gadget is valid for the locked domain. While it's reasonable to assume a malicious gadget will not use the locked domain url of another gadget, it's possible it could craft a request to the proxy on its own locked domain and forge the gadget passed in to appear as another gadget. I'll be making changes to this proxy to include locked domain validation.
RPC Proxy appears to be made from the container on behalf of a gadget, the gadget passed in should be legitimate. I have not tried to make this request on a locked domain to see if the proxy will respond. (Gadget pretending to be the container making the request)
This addresses bug SHINDIG-1628.
https://issues.apache.org/jira/browse/SHINDIG-1628
Diffs (updated)
-----
http://svn.apache.org/repos/asf/shindig/trunk/config/container.js 1178412
http://svn.apache.org/repos/asf/shindig/trunk/content/samplecontainer/examples/SharedLockedDomainDemo1.xml PRE-CREATION
http://svn.apache.org/repos/asf/shindig/trunk/content/samplecontainer/examples/SharedLockedDomainDemo2.xml PRE-CREATION
http://svn.apache.org/repos/asf/shindig/trunk/features/src/main/javascript/features/shared-script-frame/shared-script-frame-container.js 1178412
http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/GadgetException.java 1178412
http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/HashLockedDomainService.java 1178412
http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/LockedDomainService.java 1178412
http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/oauth/GadgetOAuthCallbackGenerator.java 1178412
http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/render/Renderer.java 1178412
http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/servlet/MakeRequestHandler.java 1178412
http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/uri/DefaultIframeUriManager.java 1178412
http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/uri/HashShaLockedDomainPrefixGenerator.java 1178412
http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/uri/LockedDomainPrefixGenerator.java 1178412
http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/uri/ProxyUriBase.java 1178412
http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/uri/UriStatus.java 1178412
http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/HashLockedDomainServiceTest.java 1178412
http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/oauth/GadgetOAuthCallbackGeneratorTest.java 1178412
http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/render/RendererTest.java 1178412
http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/servlet/MakeRequestHandlerTest.java 1178412
http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/servlet/MakeRequestServletTest.java 1178412
http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/servlet/ServletTestFixture.java 1178412
http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/uri/DefaultIframeUriManagerTest.java 1178412
http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/uri/HashShaLockedDomainPrefixGeneratorTest.java 1178412
http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/uri/UriManagerTestBase.java 1178412
http://svn.apache.org/repos/asf/shindig/trunk/php/test/gadgets/ContainerConfigTest.php 1178412
Diff: https://reviews.apache.org/r/2025/diff
Testing
-------
Thanks,
Dan
Re: Review Request: Locked domain cleanup and shared-domain-locking feature
Posted by Ryan Baxter <rb...@gmail.com>.
> On 2011-10-03 19:04:01, Jesse Ciancetta wrote:
> > http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/HashLockedDomainService.java, line 315
> > <https://reviews.apache.org/r/2025/diff/6/?file=47438#file47438line315>
> >
> > You could consider using a StringBuilder here instead of a StringBuffer
Committed revision 1178561. Thanks Dan and Jesse.
Dan please close the review and the JIRA.
- Ryan
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/2025/#review2269
-----------------------------------------------------------
On 2011-10-03 19:58:37, Dan Dumont wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/2025/
> -----------------------------------------------------------
>
> (Updated 2011-10-03 19:58:37)
>
>
> Review request for shindig, Paul Lindner, johnfargo, Ryan Baxter, Jesse Ciancetta, and Stanton Sievers.
>
>
> Summary
> -------
>
> Sorry for the crazy diffs here. Much stuff has moved around.
> This is the cleanup part of the patch, I want a few good eyes first before I move on to the feature work.
>
> Some highlights:
>
> * org.apache.shindig.gadgets.uri.DefaultIframeUriManager
> Nearly everything relating to locked domains has been moved to org.apache.shindig.gadgets.LockedDomainService
> Removed validation on uri for locked domains from this class. It was never actually used.
>
> * org.apache.shindig.gadgets.uri.ProxyUriBase
> Removed check for INVALID_DOMAIN, nothing in the code paths leading there ever set that status.
>
> * org.apache.shindig.gadgets.uri.UriStatus
> Removed INVALID_DOMAIN, it was not used anymore. This class seems more focused on caching anyway.
>
> * org.apache.shindig.gadgets.HashLockedDomainService
> Implemented new methods added to interface. Renamed some methods for clarity and java convention.
> Augmented some existing implementation from code that used to be in
> org.apache.shindig.gadgets.uri.DefaultIframeUriManager
>
> For documentation purposes:
> I looked through what appears to be 3 proxies.
> * Content proxy - gadgets.io.getProxyUrl
> * makeRequest proxy - gadgets.io.makeRequest
> * RPC Proxy - osapi.http.get
>
> Content proxy denies all requests to a locked domain by default. It's assumed that it's configured on a url that would ensure it is only used for things like image or sctipt tags, etc.
>
> makeRequest does not appear to do any locked domain checking to make sure the gadget is valid for the locked domain. While it's reasonable to assume a malicious gadget will not use the locked domain url of another gadget, it's possible it could craft a request to the proxy on its own locked domain and forge the gadget passed in to appear as another gadget. I'll be making changes to this proxy to include locked domain validation.
>
> RPC Proxy appears to be made from the container on behalf of a gadget, the gadget passed in should be legitimate. I have not tried to make this request on a locked domain to see if the proxy will respond. (Gadget pretending to be the container making the request)
>
>
> This addresses bug SHINDIG-1628.
> https://issues.apache.org/jira/browse/SHINDIG-1628
>
>
> Diffs
> -----
>
> http://svn.apache.org/repos/asf/shindig/trunk/config/container.js 1178412
> http://svn.apache.org/repos/asf/shindig/trunk/content/samplecontainer/examples/SharedLockedDomainDemo1.xml PRE-CREATION
> http://svn.apache.org/repos/asf/shindig/trunk/content/samplecontainer/examples/SharedLockedDomainDemo2.xml PRE-CREATION
> http://svn.apache.org/repos/asf/shindig/trunk/features/src/main/javascript/features/shared-script-frame/shared-script-frame-container.js 1178412
> http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/GadgetException.java 1178412
> http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/HashLockedDomainService.java 1178412
> http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/LockedDomainService.java 1178412
> http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/oauth/GadgetOAuthCallbackGenerator.java 1178412
> http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/render/Renderer.java 1178412
> http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/servlet/MakeRequestHandler.java 1178412
> http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/uri/DefaultIframeUriManager.java 1178412
> http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/uri/HashShaLockedDomainPrefixGenerator.java 1178412
> http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/uri/LockedDomainPrefixGenerator.java 1178412
> http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/uri/ProxyUriBase.java 1178412
> http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/uri/UriStatus.java 1178412
> http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/HashLockedDomainServiceTest.java 1178412
> http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/oauth/GadgetOAuthCallbackGeneratorTest.java 1178412
> http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/render/RendererTest.java 1178412
> http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/servlet/MakeRequestHandlerTest.java 1178412
> http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/servlet/MakeRequestServletTest.java 1178412
> http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/servlet/ServletTestFixture.java 1178412
> http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/uri/DefaultIframeUriManagerTest.java 1178412
> http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/uri/HashShaLockedDomainPrefixGeneratorTest.java 1178412
> http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/uri/UriManagerTestBase.java 1178412
> http://svn.apache.org/repos/asf/shindig/trunk/php/test/gadgets/ContainerConfigTest.php 1178412
>
> Diff: https://reviews.apache.org/r/2025/diff
>
>
> Testing
> -------
>
>
> Thanks,
>
> Dan
>
>
Re: Review Request: Locked domain cleanup and shared-domain-locking feature
Posted by Jesse Ciancetta <jc...@mitre.org>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/2025/#review2269
-----------------------------------------------------------
Ship it!
I found two small nits that you could take or leave which I noted in the code -- other than that it looks good to me.
http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/HashLockedDomainService.java
<https://reviews.apache.org/r/2025/#comment5244>
It might be good to log the exception here
http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/HashLockedDomainService.java
<https://reviews.apache.org/r/2025/#comment5245>
You could consider using a StringBuilder here instead of a StringBuffer
- Jesse
On 2011-10-03 14:30:19, Dan Dumont wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/2025/
> -----------------------------------------------------------
>
> (Updated 2011-10-03 14:30:19)
>
>
> Review request for shindig, Paul Lindner, johnfargo, Ryan Baxter, Jesse Ciancetta, and Stanton Sievers.
>
>
> Summary
> -------
>
> Sorry for the crazy diffs here. Much stuff has moved around.
> This is the cleanup part of the patch, I want a few good eyes first before I move on to the feature work.
>
> Some highlights:
>
> * org.apache.shindig.gadgets.uri.DefaultIframeUriManager
> Nearly everything relating to locked domains has been moved to org.apache.shindig.gadgets.LockedDomainService
> Removed validation on uri for locked domains from this class. It was never actually used.
>
> * org.apache.shindig.gadgets.uri.ProxyUriBase
> Removed check for INVALID_DOMAIN, nothing in the code paths leading there ever set that status.
>
> * org.apache.shindig.gadgets.uri.UriStatus
> Removed INVALID_DOMAIN, it was not used anymore. This class seems more focused on caching anyway.
>
> * org.apache.shindig.gadgets.HashLockedDomainService
> Implemented new methods added to interface. Renamed some methods for clarity and java convention.
> Augmented some existing implementation from code that used to be in
> org.apache.shindig.gadgets.uri.DefaultIframeUriManager
>
> For documentation purposes:
> I looked through what appears to be 3 proxies.
> * Content proxy - gadgets.io.getProxyUrl
> * makeRequest proxy - gadgets.io.makeRequest
> * RPC Proxy - osapi.http.get
>
> Content proxy denies all requests to a locked domain by default. It's assumed that it's configured on a url that would ensure it is only used for things like image or sctipt tags, etc.
>
> makeRequest does not appear to do any locked domain checking to make sure the gadget is valid for the locked domain. While it's reasonable to assume a malicious gadget will not use the locked domain url of another gadget, it's possible it could craft a request to the proxy on its own locked domain and forge the gadget passed in to appear as another gadget. I'll be making changes to this proxy to include locked domain validation.
>
> RPC Proxy appears to be made from the container on behalf of a gadget, the gadget passed in should be legitimate. I have not tried to make this request on a locked domain to see if the proxy will respond. (Gadget pretending to be the container making the request)
>
>
> This addresses bug SHINDIG-1628.
> https://issues.apache.org/jira/browse/SHINDIG-1628
>
>
> Diffs
> -----
>
> http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/uri/UriManagerTestBase.java 1178412
> http://svn.apache.org/repos/asf/shindig/trunk/php/test/gadgets/ContainerConfigTest.php 1178412
> http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/uri/HashShaLockedDomainPrefixGeneratorTest.java 1178412
> http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/servlet/MakeRequestServletTest.java 1178412
> http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/servlet/ServletTestFixture.java 1178412
> http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/uri/DefaultIframeUriManagerTest.java 1178412
> http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/render/RendererTest.java 1178412
> http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/servlet/MakeRequestHandlerTest.java 1178412
> http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/servlet/MakeRequestHandler.java 1178412
> http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/uri/DefaultIframeUriManager.java 1178412
> http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/uri/HashShaLockedDomainPrefixGenerator.java 1178412
> http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/uri/LockedDomainPrefixGenerator.java 1178412
> http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/uri/ProxyUriBase.java 1178412
> http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/uri/UriStatus.java 1178412
> http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/HashLockedDomainServiceTest.java 1178412
> http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/oauth/GadgetOAuthCallbackGeneratorTest.java 1178412
> http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/GadgetException.java 1178412
> http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/HashLockedDomainService.java 1178412
> http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/LockedDomainService.java 1178412
> http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/oauth/GadgetOAuthCallbackGenerator.java 1178412
> http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/render/Renderer.java 1178412
> http://svn.apache.org/repos/asf/shindig/trunk/content/samplecontainer/examples/SharedLockedDomainDemo2.xml PRE-CREATION
> http://svn.apache.org/repos/asf/shindig/trunk/features/src/main/javascript/features/shared-script-frame/shared-script-frame-container.js 1178412
> http://svn.apache.org/repos/asf/shindig/trunk/config/container.js 1178412
> http://svn.apache.org/repos/asf/shindig/trunk/content/samplecontainer/examples/SharedLockedDomainDemo1.xml PRE-CREATION
>
> Diff: https://reviews.apache.org/r/2025/diff
>
>
> Testing
> -------
>
>
> Thanks,
>
> Dan
>
>
Re: Review Request: Locked domain cleanup and shared-domain-locking feature
Posted by Dan Dumont <dd...@us.ibm.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/2025/
-----------------------------------------------------------
(Updated 2011-10-03 14:30:19.987345)
Review request for shindig, Paul Lindner, johnfargo, Ryan Baxter, Jesse Ciancetta, and Stanton Sievers.
Changes
-------
Found and removed a trailing whitespace
Summary
-------
Sorry for the crazy diffs here. Much stuff has moved around.
This is the cleanup part of the patch, I want a few good eyes first before I move on to the feature work.
Some highlights:
* org.apache.shindig.gadgets.uri.DefaultIframeUriManager
Nearly everything relating to locked domains has been moved to org.apache.shindig.gadgets.LockedDomainService
Removed validation on uri for locked domains from this class. It was never actually used.
* org.apache.shindig.gadgets.uri.ProxyUriBase
Removed check for INVALID_DOMAIN, nothing in the code paths leading there ever set that status.
* org.apache.shindig.gadgets.uri.UriStatus
Removed INVALID_DOMAIN, it was not used anymore. This class seems more focused on caching anyway.
* org.apache.shindig.gadgets.HashLockedDomainService
Implemented new methods added to interface. Renamed some methods for clarity and java convention.
Augmented some existing implementation from code that used to be in
org.apache.shindig.gadgets.uri.DefaultIframeUriManager
For documentation purposes:
I looked through what appears to be 3 proxies.
* Content proxy - gadgets.io.getProxyUrl
* makeRequest proxy - gadgets.io.makeRequest
* RPC Proxy - osapi.http.get
Content proxy denies all requests to a locked domain by default. It's assumed that it's configured on a url that would ensure it is only used for things like image or sctipt tags, etc.
makeRequest does not appear to do any locked domain checking to make sure the gadget is valid for the locked domain. While it's reasonable to assume a malicious gadget will not use the locked domain url of another gadget, it's possible it could craft a request to the proxy on its own locked domain and forge the gadget passed in to appear as another gadget. I'll be making changes to this proxy to include locked domain validation.
RPC Proxy appears to be made from the container on behalf of a gadget, the gadget passed in should be legitimate. I have not tried to make this request on a locked domain to see if the proxy will respond. (Gadget pretending to be the container making the request)
This addresses bug SHINDIG-1628.
https://issues.apache.org/jira/browse/SHINDIG-1628
Diffs (updated)
-----
http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/uri/UriManagerTestBase.java 1178412
http://svn.apache.org/repos/asf/shindig/trunk/php/test/gadgets/ContainerConfigTest.php 1178412
http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/uri/HashShaLockedDomainPrefixGeneratorTest.java 1178412
http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/servlet/MakeRequestServletTest.java 1178412
http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/servlet/ServletTestFixture.java 1178412
http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/uri/DefaultIframeUriManagerTest.java 1178412
http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/render/RendererTest.java 1178412
http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/servlet/MakeRequestHandlerTest.java 1178412
http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/servlet/MakeRequestHandler.java 1178412
http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/uri/DefaultIframeUriManager.java 1178412
http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/uri/HashShaLockedDomainPrefixGenerator.java 1178412
http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/uri/LockedDomainPrefixGenerator.java 1178412
http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/uri/ProxyUriBase.java 1178412
http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/uri/UriStatus.java 1178412
http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/HashLockedDomainServiceTest.java 1178412
http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/oauth/GadgetOAuthCallbackGeneratorTest.java 1178412
http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/GadgetException.java 1178412
http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/HashLockedDomainService.java 1178412
http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/LockedDomainService.java 1178412
http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/oauth/GadgetOAuthCallbackGenerator.java 1178412
http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/render/Renderer.java 1178412
http://svn.apache.org/repos/asf/shindig/trunk/content/samplecontainer/examples/SharedLockedDomainDemo2.xml PRE-CREATION
http://svn.apache.org/repos/asf/shindig/trunk/features/src/main/javascript/features/shared-script-frame/shared-script-frame-container.js 1178412
http://svn.apache.org/repos/asf/shindig/trunk/config/container.js 1178412
http://svn.apache.org/repos/asf/shindig/trunk/content/samplecontainer/examples/SharedLockedDomainDemo1.xml PRE-CREATION
Diff: https://reviews.apache.org/r/2025/diff
Testing
-------
Thanks,
Dan
Re: Review Request: Locked domain cleanup and shared-domain-locking feature
Posted by Dan Dumont <dd...@us.ibm.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/2025/
-----------------------------------------------------------
(Updated 2011-10-03 14:26:22.765398)
Review request for shindig, Paul Lindner, johnfargo, Ryan Baxter, Jesse Ciancetta, and Stanton Sievers.
Changes
-------
Updated change after Ryan's last commit. Some test changes and minor rewiring to account for the blacklist replacement.
Summary
-------
Sorry for the crazy diffs here. Much stuff has moved around.
This is the cleanup part of the patch, I want a few good eyes first before I move on to the feature work.
Some highlights:
* org.apache.shindig.gadgets.uri.DefaultIframeUriManager
Nearly everything relating to locked domains has been moved to org.apache.shindig.gadgets.LockedDomainService
Removed validation on uri for locked domains from this class. It was never actually used.
* org.apache.shindig.gadgets.uri.ProxyUriBase
Removed check for INVALID_DOMAIN, nothing in the code paths leading there ever set that status.
* org.apache.shindig.gadgets.uri.UriStatus
Removed INVALID_DOMAIN, it was not used anymore. This class seems more focused on caching anyway.
* org.apache.shindig.gadgets.HashLockedDomainService
Implemented new methods added to interface. Renamed some methods for clarity and java convention.
Augmented some existing implementation from code that used to be in
org.apache.shindig.gadgets.uri.DefaultIframeUriManager
For documentation purposes:
I looked through what appears to be 3 proxies.
* Content proxy - gadgets.io.getProxyUrl
* makeRequest proxy - gadgets.io.makeRequest
* RPC Proxy - osapi.http.get
Content proxy denies all requests to a locked domain by default. It's assumed that it's configured on a url that would ensure it is only used for things like image or sctipt tags, etc.
makeRequest does not appear to do any locked domain checking to make sure the gadget is valid for the locked domain. While it's reasonable to assume a malicious gadget will not use the locked domain url of another gadget, it's possible it could craft a request to the proxy on its own locked domain and forge the gadget passed in to appear as another gadget. I'll be making changes to this proxy to include locked domain validation.
RPC Proxy appears to be made from the container on behalf of a gadget, the gadget passed in should be legitimate. I have not tried to make this request on a locked domain to see if the proxy will respond. (Gadget pretending to be the container making the request)
This addresses bug SHINDIG-1628.
https://issues.apache.org/jira/browse/SHINDIG-1628
Diffs (updated)
-----
http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/render/RendererTest.java 1178412
http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/servlet/MakeRequestHandlerTest.java 1178412
http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/servlet/MakeRequestServletTest.java 1178412
http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/servlet/ServletTestFixture.java 1178412
http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/uri/DefaultIframeUriManagerTest.java 1178412
http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/uri/HashShaLockedDomainPrefixGeneratorTest.java 1178412
http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/uri/UriManagerTestBase.java 1178412
http://svn.apache.org/repos/asf/shindig/trunk/php/test/gadgets/ContainerConfigTest.php 1178412
http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/oauth/GadgetOAuthCallbackGeneratorTest.java 1178412
http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/uri/LockedDomainPrefixGenerator.java 1178412
http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/uri/ProxyUriBase.java 1178412
http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/uri/UriStatus.java 1178412
http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/HashLockedDomainServiceTest.java 1178412
http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/uri/HashShaLockedDomainPrefixGenerator.java 1178412
http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/render/Renderer.java 1178412
http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/servlet/MakeRequestHandler.java 1178412
http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/uri/DefaultIframeUriManager.java 1178412
http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/LockedDomainService.java 1178412
http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/oauth/GadgetOAuthCallbackGenerator.java 1178412
http://svn.apache.org/repos/asf/shindig/trunk/config/container.js 1178412
http://svn.apache.org/repos/asf/shindig/trunk/content/samplecontainer/examples/SharedLockedDomainDemo1.xml PRE-CREATION
http://svn.apache.org/repos/asf/shindig/trunk/content/samplecontainer/examples/SharedLockedDomainDemo2.xml PRE-CREATION
http://svn.apache.org/repos/asf/shindig/trunk/features/src/main/javascript/features/shared-script-frame/shared-script-frame-container.js 1178412
http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/GadgetException.java 1178412
http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/HashLockedDomainService.java 1178412
Diff: https://reviews.apache.org/r/2025/diff
Testing
-------
Thanks,
Dan
Re: Review Request: Locked domain cleanup and shared-domain-locking feature
Posted by Dan Dumont <dd...@us.ibm.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/2025/
-----------------------------------------------------------
(Updated 2011-09-30 19:56:46.329747)
Review request for shindig, Paul Lindner, johnfargo, Ryan Baxter, Jesse Ciancetta, and Stanton Sievers.
Changes
-------
Changes since last patch:
* Fixes suggested by Jesse to locked domain checking.
* Added locked domain checking to the MakeRequest proxy (just in case, looked like it was possible to spoof gadget param in url to get around blacklist impl).
* All unit tests now pass.
* Extended locked-domain "feature" to support concept of shared-locked-domain. @see sample gadgets and HashLockedDomainService#getLockedDomainParticipants
* Updated shared-script-frame feature to take advantage of shared-locked-domains so that multiple gadgets could share the same script frame.
Summary
-------
Sorry for the crazy diffs here. Much stuff has moved around.
This is the cleanup part of the patch, I want a few good eyes first before I move on to the feature work.
Some highlights:
* org.apache.shindig.gadgets.uri.DefaultIframeUriManager
Nearly everything relating to locked domains has been moved to org.apache.shindig.gadgets.LockedDomainService
Removed validation on uri for locked domains from this class. It was never actually used.
* org.apache.shindig.gadgets.uri.ProxyUriBase
Removed check for INVALID_DOMAIN, nothing in the code paths leading there ever set that status.
* org.apache.shindig.gadgets.uri.UriStatus
Removed INVALID_DOMAIN, it was not used anymore. This class seems more focused on caching anyway.
* org.apache.shindig.gadgets.HashLockedDomainService
Implemented new methods added to interface. Renamed some methods for clarity and java convention.
Augmented some existing implementation from code that used to be in
org.apache.shindig.gadgets.uri.DefaultIframeUriManager
For documentation purposes:
I looked through what appears to be 3 proxies.
* Content proxy - gadgets.io.getProxyUrl
* makeRequest proxy - gadgets.io.makeRequest
* RPC Proxy - osapi.http.get
Content proxy denies all requests to a locked domain by default. It's assumed that it's configured on a url that would ensure it is only used for things like image or sctipt tags, etc.
makeRequest does not appear to do any locked domain checking to make sure the gadget is valid for the locked domain. While it's reasonable to assume a malicious gadget will not use the locked domain url of another gadget, it's possible it could craft a request to the proxy on its own locked domain and forge the gadget passed in to appear as another gadget. I'll be making changes to this proxy to include locked domain validation.
RPC Proxy appears to be made from the container on behalf of a gadget, the gadget passed in should be legitimate. I have not tried to make this request on a locked domain to see if the proxy will respond. (Gadget pretending to be the container making the request)
This addresses bug SHINDIG-1628.
https://issues.apache.org/jira/browse/SHINDIG-1628
Diffs (updated)
-----
http://svn.apache.org/repos/asf/shindig/trunk/content/samplecontainer/examples/SharedLockedDomainDemo1.xml PRE-CREATION
http://svn.apache.org/repos/asf/shindig/trunk/config/container.js 1177663
http://svn.apache.org/repos/asf/shindig/trunk/content/samplecontainer/examples/SharedLockedDomainDemo2.xml PRE-CREATION
http://svn.apache.org/repos/asf/shindig/trunk/features/src/main/javascript/features/shared-script-frame/shared-script-frame-container.js 1177663
http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/GadgetException.java 1177663
http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/HashLockedDomainService.java 1177663
http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/LockedDomainService.java 1177663
http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/oauth/GadgetOAuthCallbackGenerator.java 1177663
http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/render/Renderer.java 1177663
http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/servlet/MakeRequestHandler.java 1177663
http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/servlet/ProxyHandler.java 1177663
http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/uri/DefaultIframeUriManager.java 1177663
http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/uri/HashShaLockedDomainPrefixGenerator.java 1177663
http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/uri/LockedDomainPrefixGenerator.java 1177663
http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/uri/ProxyUriBase.java 1177663
http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/uri/UriStatus.java 1177663
http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/HashLockedDomainServiceTest.java 1177663
http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/oauth/GadgetOAuthCallbackGeneratorTest.java 1177663
http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/render/RendererTest.java 1177663
http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/servlet/MakeRequestHandlerTest.java 1177663
http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/servlet/MakeRequestServletTest.java 1177663
http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/servlet/ServletTestFixture.java 1177663
http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/uri/DefaultIframeUriManagerTest.java 1177663
http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/uri/HashShaLockedDomainPrefixGeneratorTest.java 1177663
http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/uri/UriManagerTestBase.java 1177663
http://svn.apache.org/repos/asf/shindig/trunk/php/test/gadgets/ContainerConfigTest.php 1177663
Diff: https://reviews.apache.org/r/2025/diff
Testing
-------
Thanks,
Dan
Re: Review Request: Locked domain cleanup and shared-domain-locking feature
Posted by Dan Dumont <dd...@us.ibm.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/2025/
-----------------------------------------------------------
(Updated 2011-09-29 17:03:35.492298)
Review request for shindig, Paul Lindner, johnfargo, Ryan Baxter, Jesse Ciancetta, and Stanton Sievers.
Changes
-------
Adding Jesse. Could you please take a look at these changes?
A new review with the feature work is in the works, but this lays down most of the foundation for it.
Summary
-------
Sorry for the crazy diffs here. Much stuff has moved around.
This is the cleanup part of the patch, I want a few good eyes first before I move on to the feature work.
Some highlights:
* org.apache.shindig.gadgets.uri.DefaultIframeUriManager
Nearly everything relating to locked domains has been moved to org.apache.shindig.gadgets.LockedDomainService
Removed validation on uri for locked domains from this class. It was never actually used.
* org.apache.shindig.gadgets.uri.ProxyUriBase
Removed check for INVALID_DOMAIN, nothing in the code paths leading there ever set that status.
* org.apache.shindig.gadgets.uri.UriStatus
Removed INVALID_DOMAIN, it was not used anymore. This class seems more focused on caching anyway.
* org.apache.shindig.gadgets.HashLockedDomainService
Implemented new methods added to interface. Renamed some methods for clarity and java convention.
Augmented some existing implementation from code that used to be in
org.apache.shindig.gadgets.uri.DefaultIframeUriManager
For documentation purposes:
I looked through what appears to be 3 proxies.
* Content proxy - gadgets.io.getProxyUrl
* makeRequest proxy - gadgets.io.makeRequest
* RPC Proxy - osapi.http.get
Content proxy denies all requests to a locked domain by default. It's assumed that it's configured on a url that would ensure it is only used for things like image or sctipt tags, etc.
makeRequest does not appear to do any locked domain checking to make sure the gadget is valid for the locked domain. While it's reasonable to assume a malicious gadget will not use the locked domain url of another gadget, it's possible it could craft a request to the proxy on its own locked domain and forge the gadget passed in to appear as another gadget. I'll be making changes to this proxy to include locked domain validation.
RPC Proxy appears to be made from the container on behalf of a gadget, the gadget passed in should be legitimate. I have not tried to make this request on a locked domain to see if the proxy will respond. (Gadget pretending to be the container making the request)
This addresses bug SHINDIG-1628.
https://issues.apache.org/jira/browse/SHINDIG-1628
Diffs
-----
http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/HashLockedDomainService.java 1174376
http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/LockedDomainService.java 1174376
http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/servlet/ProxyHandler.java 1174376
http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/uri/DefaultIframeUriManager.java 1174376
http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/uri/ProxyUriBase.java 1174376
http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/uri/UriStatus.java 1174376
http://svn.apache.org/repos/asf/shindig/trunk/php/test/gadgets/ContainerConfigTest.php 1174376
http://svn.apache.org/repos/asf/shindig/trunk/config/container.js 1174376
Diff: https://reviews.apache.org/r/2025/diff
Testing
-------
Thanks,
Dan
Re: Review Request: Locked domain cleanup and shared-domain-locking feature
Posted by Dan Dumont <dd...@us.ibm.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/2025/
-----------------------------------------------------------
(Updated 2011-09-27 13:25:17.798472)
Review request for shindig, Paul Lindner, johnfargo, Ryan Baxter, and Stanton Sievers.
Changes
-------
Added some comments to the description to track my investigations.
Summary (updated)
-------
Sorry for the crazy diffs here. Much stuff has moved around.
This is the cleanup part of the patch, I want a few good eyes first before I move on to the feature work.
Some highlights:
* org.apache.shindig.gadgets.uri.DefaultIframeUriManager
Nearly everything relating to locked domains has been moved to org.apache.shindig.gadgets.LockedDomainService
Removed validation on uri for locked domains from this class. It was never actually used.
* org.apache.shindig.gadgets.uri.ProxyUriBase
Removed check for INVALID_DOMAIN, nothing in the code paths leading there ever set that status.
* org.apache.shindig.gadgets.uri.UriStatus
Removed INVALID_DOMAIN, it was not used anymore. This class seems more focused on caching anyway.
* org.apache.shindig.gadgets.HashLockedDomainService
Implemented new methods added to interface. Renamed some methods for clarity and java convention.
Augmented some existing implementation from code that used to be in
org.apache.shindig.gadgets.uri.DefaultIframeUriManager
For documentation purposes:
I looked through what appears to be 3 proxies.
* Content proxy - gadgets.io.getProxyUrl
* makeRequest proxy - gadgets.io.makeRequest
* RPC Proxy - osapi.http.get
Content proxy denies all requests to a locked domain by default. It's assumed that it's configured on a url that would ensure it is only used for things like image or sctipt tags, etc.
makeRequest does not appear to do any locked domain checking to make sure the gadget is valid for the locked domain. While it's reasonable to assume a malicious gadget will not use the locked domain url of another gadget, it's possible it could craft a request to the proxy on its own locked domain and forge the gadget passed in to appear as another gadget. I'll be making changes to this proxy to include locked domain validation.
RPC Proxy appears to be made from the container on behalf of a gadget, the gadget passed in should be legitimate. I have not tried to make this request on a locked domain to see if the proxy will respond. (Gadget pretending to be the container making the request)
This addresses bug SHINDIG-1628.
https://issues.apache.org/jira/browse/SHINDIG-1628
Diffs
-----
http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/HashLockedDomainService.java 1174376
http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/LockedDomainService.java 1174376
http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/servlet/ProxyHandler.java 1174376
http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/uri/DefaultIframeUriManager.java 1174376
http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/uri/ProxyUriBase.java 1174376
http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/uri/UriStatus.java 1174376
http://svn.apache.org/repos/asf/shindig/trunk/php/test/gadgets/ContainerConfigTest.php 1174376
http://svn.apache.org/repos/asf/shindig/trunk/config/container.js 1174376
Diff: https://reviews.apache.org/r/2025/diff
Testing
-------
Thanks,
Dan
Re: Review Request: Locked domain cleanup and shared-domain-locking feature
Posted by Dan Dumont <dd...@us.ibm.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/2025/
-----------------------------------------------------------
(Updated 2011-09-26 13:11:12.939850)
Review request for shindig, Paul Lindner, johnfargo, Ryan Baxter, and Stanton Sievers.
Summary
-------
Sorry for the crazy diffs here. Much stuff has moved around.
This is the cleanup part of the patch, I want a few good eyes first before I move on to the feature work.
Some highlights:
* org.apache.shindig.gadgets.uri.DefaultIframeUriManager
Nearly everything relating to locked domains has been moved to org.apache.shindig.gadgets.LockedDomainService
Removed validation on uri for locked domains from this class. It was never actually used.
* org.apache.shindig.gadgets.uri.ProxyUriBase
Removed check for INVALID_DOMAIN, nothing in the code paths leading there ever set that status.
* org.apache.shindig.gadgets.uri.UriStatus
Removed INVALID_DOMAIN, it was not used anymore. This class seems more focused on caching anyway.
* org.apache.shindig.gadgets.HashLockedDomainService
Implemented new methods added to interface. Renamed some methods for clarity and java convention.
Augmented some existing implementation from code that used to be in
org.apache.shindig.gadgets.uri.DefaultIframeUriManager
This addresses bug SHINDIG-1628.
https://issues.apache.org/jira/browse/SHINDIG-1628
Diffs
-----
http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/HashLockedDomainService.java 1174376
http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/LockedDomainService.java 1174376
http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/servlet/ProxyHandler.java 1174376
http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/uri/DefaultIframeUriManager.java 1174376
http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/uri/ProxyUriBase.java 1174376
http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/uri/UriStatus.java 1174376
http://svn.apache.org/repos/asf/shindig/trunk/php/test/gadgets/ContainerConfigTest.php 1174376
http://svn.apache.org/repos/asf/shindig/trunk/config/container.js 1174376
Diff: https://reviews.apache.org/r/2025/diff
Testing
-------
Thanks,
Dan
Re: Review Request: Locked domain cleanup and shared-domain-locking feature
Posted by Ryan Baxter <rb...@gmail.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/2025/#review2031
-----------------------------------------------------------
http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/servlet/ProxyHandler.java
<https://reviews.apache.org/r/2025/#comment4580>
Is the only change here to remove this import? I assume it was unused? Are you just being a good citizen? :)
- Ryan
On 2011-09-22 21:35:24, Dan Dumont wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/2025/
> -----------------------------------------------------------
>
> (Updated 2011-09-22 21:35:24)
>
>
> Review request for shindig, johnfargo, Ryan Baxter, and Stanton Sievers.
>
>
> Summary
> -------
>
> Sorry for the crazy diffs here. Much stuff has moved around.
> This is the cleanup part of the patch, I want a few good eyes first before I move on to the feature work.
>
> Some highlights:
>
> * org.apache.shindig.gadgets.uri.DefaultIframeUriManager
> Nearly everything relating to locked domains has been moved to org.apache.shindig.gadgets.LockedDomainService
> Removed validation on uri for locked domains from this class. It was never actually used.
>
> * org.apache.shindig.gadgets.uri.ProxyUriBase
> Removed check for INVALID_DOMAIN, nothing in the code paths leading there ever set that status.
>
> * org.apache.shindig.gadgets.uri.UriStatus
> Removed INVALID_DOMAIN, it was not used anymore. This class seems more focused on caching anyway.
>
> * org.apache.shindig.gadgets.HashLockedDomainService
> Implemented new methods added to interface. Renamed some methods for clarity and java convention.
> Augmented some existing implementation from code that used to be in
> org.apache.shindig.gadgets.uri.DefaultIframeUriManager
>
>
> This addresses bug SHINDIG-1628.
> https://issues.apache.org/jira/browse/SHINDIG-1628
>
>
> Diffs
> -----
>
> http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/HashLockedDomainService.java 1174376
> http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/LockedDomainService.java 1174376
> http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/servlet/ProxyHandler.java 1174376
> http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/uri/DefaultIframeUriManager.java 1174376
> http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/uri/ProxyUriBase.java 1174376
> http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/uri/UriStatus.java 1174376
> http://svn.apache.org/repos/asf/shindig/trunk/php/test/gadgets/ContainerConfigTest.php 1174376
> http://svn.apache.org/repos/asf/shindig/trunk/config/container.js 1174376
>
> Diff: https://reviews.apache.org/r/2025/diff
>
>
> Testing
> -------
>
>
> Thanks,
>
> Dan
>
>
Re: Review Request: Locked domain cleanup and shared-domain-locking feature
Posted by Dan Dumont <dd...@us.ibm.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/2025/
-----------------------------------------------------------
(Updated 2011-09-22 21:35:24.891337)
Review request for shindig, johnfargo, Ryan Baxter, and Stanton Sievers.
Changes
-------
Adding JIRA.
Fixing up comments from Stanton's review.
Summary
-------
Sorry for the crazy diffs here. Much stuff has moved around.
This is the cleanup part of the patch, I want a few good eyes first before I move on to the feature work.
Some highlights:
* org.apache.shindig.gadgets.uri.DefaultIframeUriManager
Nearly everything relating to locked domains has been moved to org.apache.shindig.gadgets.LockedDomainService
Removed validation on uri for locked domains from this class. It was never actually used.
* org.apache.shindig.gadgets.uri.ProxyUriBase
Removed check for INVALID_DOMAIN, nothing in the code paths leading there ever set that status.
* org.apache.shindig.gadgets.uri.UriStatus
Removed INVALID_DOMAIN, it was not used anymore. This class seems more focused on caching anyway.
* org.apache.shindig.gadgets.HashLockedDomainService
Implemented new methods added to interface. Renamed some methods for clarity and java convention.
Augmented some existing implementation from code that used to be in
org.apache.shindig.gadgets.uri.DefaultIframeUriManager
This addresses bug SHINDIG-1628.
https://issues.apache.org/jira/browse/SHINDIG-1628
Diffs (updated)
-----
http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/HashLockedDomainService.java 1174376
http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/LockedDomainService.java 1174376
http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/servlet/ProxyHandler.java 1174376
http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/uri/DefaultIframeUriManager.java 1174376
http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/uri/ProxyUriBase.java 1174376
http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/uri/UriStatus.java 1174376
http://svn.apache.org/repos/asf/shindig/trunk/php/test/gadgets/ContainerConfigTest.php 1174376
http://svn.apache.org/repos/asf/shindig/trunk/config/container.js 1174376
Diff: https://reviews.apache.org/r/2025/diff
Testing
-------
Thanks,
Dan