You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@shindig.apache.org by jo...@apache.org on 2011/03/25 23:17:10 UTC

svn commit: r1085582 - /shindig/trunk/features/src/main/javascript/features/rpc/rpc.js

Author: johnh
Date: Fri Mar 25 22:17:10 2011
New Revision: 1085582

URL: http://svn.apache.org/viewvc?rev=1085582&view=rev
Log:
Pass along verified origin *and* referer (spelled w/ one 'r' for consistency w/ the HTTP header, alas) to gadgets.rpc handlers. This allows easier origin verification while also allowing for use of originating referrer where useful for stats.


Modified:
    shindig/trunk/features/src/main/javascript/features/rpc/rpc.js

Modified: shindig/trunk/features/src/main/javascript/features/rpc/rpc.js
URL: http://svn.apache.org/viewvc/shindig/trunk/features/src/main/javascript/features/rpc/rpc.js?rev=1085582&r1=1085581&r2=1085582&view=diff
==============================================================================
--- shindig/trunk/features/src/main/javascript/features/rpc/rpc.js (original)
+++ shindig/trunk/features/src/main/javascript/features/rpc/rpc.js Fri Mar 25 22:17:10 2011
@@ -109,6 +109,7 @@ if (!gadgets.rpc) { // make lib resilien
      * @private
      */
     var RPC_KEY_ORIGIN = 'origin';
+    var RPC_KEY_REFERRER = 'referer';
 
     var services = {};
     var relayUrl = {};
@@ -259,10 +260,10 @@ if (!gadgets.rpc) { // make lib resilien
      * and guard code in the method ensures the same before dispatching
      * any service handler.
      * @param {Object} rpc RPC request object.
-     * @param {String} opt_origin Verified origin of the rpc sender, if available.
+     * @param {String} opt_sender RPC sender, if available and with a verified origin piece.
      * @private
      */
-    function process(rpc, opt_origin) {
+    function process(rpc, opt_sender) {
       //
       // RPC object contents:
       //   s: Service Name
@@ -315,7 +316,19 @@ if (!gadgets.rpc) { // make lib resilien
 
         // Set the requestor origin.
         // If not passed by the transport, then this simply sets to undefined.
-        rpc[RPC_KEY_ORIGIN] = opt_origin;
+        if (opt_sender) {
+          var origin = getOrigin(opt_sender);
+          rpc[RPC_KEY_ORIGIN] = opt_origin;
+          var referrer = document.referrer;
+          if (!referrer || getOrigin(referrer) != origin) {
+            // Transports send along as much info as they can about the sender
+            // of the message; 'origin' is the origin component alone, while
+            // 'referrer' is a best-effort field set from available information.
+            // The second clause simply verifies that referrer is valid.
+            referrer = opt_sender;
+          }
+          rpc[RPC_KEY_REFERRER] = referrer; 
+        }
 
         // Call the requested RPC service.
         var result = (services[rpc['s']] ||