You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@shindig.apache.org by Chris Chabot <ch...@xs4all.nl> on 2008/04/16 19:32:55 UTC
Small question about token and proxy request
Hey guys,
Now we've got this st (security token) which if not filled in, is
defaulted to st=john.doe:john.doe:appid:synd:url:0 in javascript
(gadgets.js i believe). That fixes all cases ... i thought..
Seems when a proxy request happens from the gadget, the request url
has an empty st= param, forinstance:
http://shindig/gadgets/ifr?url=http%3A%2F%2Fwww.google.com%2Fig%2Fmodules%2Fhoroscope.xml&synd=default&mid=0&nocache=1&country=ALL&lang=ALL&view=default&parent=http%3A%2F%2Fshindig&st=john.doe:john.doe:appid:synd:url:0
(notice the "st=john.doe:john.doe:appid:synd:url:0" part) results in
the following proxy request:
http://shindig/gadgets/proxy?output=js&refresh=3600&url=http%3A%2F%2Fwww.tarot.com%2Frss%2Fgenerate.php%3Fcode%3Dgoogle-ig%26feed%3Ddaily_horoscope%26sign%3DGemini&httpMethod=GET&headers=&postData=&authz=&st=&oauthState=&oauthService=&oauthToken=
notice the empty st= part here.. My code tends not to like this since
it's trying to retrieve the owner/viewer/etc from an empty string ...
unsuccessfully as i'm sure you can imagine :)
If the gadget (iframe) url includes a st param, shouldn't the
subsequent proxy requests use it too? or am i missing something
obvious here?
-- Chris
Re: Small question about token and proxy request
Posted by Kevin Brown <et...@google.com>.
On Wed, Apr 16, 2008 at 11:00 AM, Chris Chabot <ch...@xs4all.nl> wrote:
> Hmm.. well one of the problems i remember of our proxy is that it's pretty
> open ..
That'd only be true for the open proxy, which isn't used by makeRequest. The
open proxy is there for things like images.
>
> Having a (cryptographically verifiable) viewer, would partially solve this
> problem when we only allow requests with valid tokens to retrieve content
> through the proxy right? (there are scenarios conceivable where this could
> be bypassed but that would take a rather complex mechanism). Hence my
> wondering about it being passed or not :)
>
> -- Chris
>
>
> On Apr 16, 2008, at 7:49 PM, Kevin Brown wrote:
>
> The security token is only passed if authz is "signed" or
> > "authenticated".
> > It doesn't make sense to pass it otherwise.
> >
> >
>
--
~Kevin
Re: Small question about token and proxy request
Posted by Chris Chabot <ch...@xs4all.nl>.
Hmm.. well one of the problems i remember of our proxy is that it's
pretty open ..
Having a (cryptographically verifiable) viewer, would partially solve
this problem when we only allow requests with valid tokens to retrieve
content through the proxy right? (there are scenarios conceivable
where this could be bypassed but that would take a rather complex
mechanism). Hence my wondering about it being passed or not :)
-- Chris
On Apr 16, 2008, at 7:49 PM, Kevin Brown wrote:
> The security token is only passed if authz is "signed" or
> "authenticated".
> It doesn't make sense to pass it otherwise.
>
Re: Small question about token and proxy request
Posted by Kevin Brown <et...@google.com>.
The security token is only passed if authz is "signed" or "authenticated".
It doesn't make sense to pass it otherwise.
On Wed, Apr 16, 2008 at 10:32 AM, Chris Chabot <ch...@xs4all.nl> wrote:
> Hey guys,
>
> Now we've got this st (security token) which if not filled in, is
> defaulted to st=john.doe:john.doe:appid:synd:url:0 in javascript (gadgets.js
> i believe). That fixes all cases ... i thought..
>
> Seems when a proxy request happens from the gadget, the request url has an
> empty st= param, forinstance:
>
>
> http://shindig/gadgets/ifr?url=http%3A%2F%2Fwww.google.com%2Fig%2Fmodules%2Fhoroscope.xml&synd=default&mid=0&nocache=1&country=ALL&lang=ALL&view=default&parent=http%3A%2F%2Fshindig&st=john.doe:john.doe:appid:synd:url:0
>
> (notice the "st=john.doe:john.doe:appid:synd:url:0" part) results in the
> following proxy request:
>
>
> http://shindig/gadgets/proxy?output=js&refresh=3600&url=http%3A%2F%2Fwww.tarot.com%2Frss%2Fgenerate.php%3Fcode%3Dgoogle-ig%26feed%3Ddaily_horoscope%26sign%3DGemini&httpMethod=GET&headers=&postData=&authz=&st=&oauthState=&oauthService=&oauthToken=
>
> notice the empty st= part here.. My code tends not to like this since it's
> trying to retrieve the owner/viewer/etc from an empty string ...
> unsuccessfully as i'm sure you can imagine :)
>
> If the gadget (iframe) url includes a st param, shouldn't the subsequent
> proxy requests use it too? or am i missing something obvious here?
>
> -- Chris
>
--
~Kevin