You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@shindig.apache.org by jo...@apache.org on 2011/03/25 23:17:10 UTC
svn commit: r1085582 -
/shindig/trunk/features/src/main/javascript/features/rpc/rpc.js
Author: johnh
Date: Fri Mar 25 22:17:10 2011
New Revision: 1085582
URL: http://svn.apache.org/viewvc?rev=1085582&view=rev
Log:
Pass along verified origin *and* referer (spelled w/ one 'r' for consistency w/ the HTTP header, alas) to gadgets.rpc handlers. This allows easier origin verification while also allowing for use of originating referrer where useful for stats.
Modified:
shindig/trunk/features/src/main/javascript/features/rpc/rpc.js
Modified: shindig/trunk/features/src/main/javascript/features/rpc/rpc.js
URL: http://svn.apache.org/viewvc/shindig/trunk/features/src/main/javascript/features/rpc/rpc.js?rev=1085582&r1=1085581&r2=1085582&view=diff
==============================================================================
--- shindig/trunk/features/src/main/javascript/features/rpc/rpc.js (original)
+++ shindig/trunk/features/src/main/javascript/features/rpc/rpc.js Fri Mar 25 22:17:10 2011
@@ -109,6 +109,7 @@ if (!gadgets.rpc) { // make lib resilien
* @private
*/
var RPC_KEY_ORIGIN = 'origin';
+ var RPC_KEY_REFERRER = 'referer';
var services = {};
var relayUrl = {};
@@ -259,10 +260,10 @@ if (!gadgets.rpc) { // make lib resilien
* and guard code in the method ensures the same before dispatching
* any service handler.
* @param {Object} rpc RPC request object.
- * @param {String} opt_origin Verified origin of the rpc sender, if available.
+ * @param {String} opt_sender RPC sender, if available and with a verified origin piece.
* @private
*/
- function process(rpc, opt_origin) {
+ function process(rpc, opt_sender) {
//
// RPC object contents:
// s: Service Name
@@ -315,7 +316,19 @@ if (!gadgets.rpc) { // make lib resilien
// Set the requestor origin.
// If not passed by the transport, then this simply sets to undefined.
- rpc[RPC_KEY_ORIGIN] = opt_origin;
+ if (opt_sender) {
+ var origin = getOrigin(opt_sender);
+ rpc[RPC_KEY_ORIGIN] = opt_origin;
+ var referrer = document.referrer;
+ if (!referrer || getOrigin(referrer) != origin) {
+ // Transports send along as much info as they can about the sender
+ // of the message; 'origin' is the origin component alone, while
+ // 'referrer' is a best-effort field set from available information.
+ // The second clause simply verifies that referrer is valid.
+ referrer = opt_sender;
+ }
+ rpc[RPC_KEY_REFERRER] = referrer;
+ }
// Call the requested RPC service.
var result = (services[rpc['s']] ||