You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@shindig.apache.org by Karsten Beyer <ma...@kbeyer.net> on 2008/07/11 11:20:31 UTC
How to prevent abuse of the proxy
Hi,
what is the suggested strategy to prevent abuse of the open proxy at /
gadgets/proxy? I found some old discussions from february about adding
the IP address of the user as HTTP header. Some testing however showed
that this is not yet implemented.
Are there any plans to implement some kind of whitelist feature? More
importantly: Are there any reasons against implementing such a feature?
Best Regards,
Karsten Beyer
mail@kbeyer.net
Re: How to prevent abuse of the proxy
Posted by Chris Chabot <ch...@xs4all.nl>.
I dislike white-lists a lot since it makes running 'any gadget' on a
social network site a -lot- more human effort dependent.
Especially if a gadget developer would have to send an email to
hundreds to thousands of different open social enabled sites, every
time they makeRequest to a new domain ... that just doesn't scale and
will lead to a lot of broken gadgets... Of course if you have a very
tightly controlled environment where you wrote all the gadgets your
self that might work, but otherwise it would be a recipe for disaster.
Besides that would be an open social spec change, and those
discussions belong on the the spec discussion group: opensocial-and-gadgets-spec@googlegroups.com
and not in shindig land, we implement the spec we don't create it :)
I think adding a security token, that included the IP would already
provide a good solid security model to prevent abuse, and i don't
think it would break existing gadgets nor change the specification, so
i'd strongly prefer that.
-- Chris
On Jul 11, 2008, at 2:59 PM, Karsten Beyer wrote:
> Hi,
> i don't understand. The proxy is even delivering pages when there is
> no
> security token at all. e.g.
>
> http://shindig.mydomain/gadgets/proxy?url=google.com
>
> At the server the page is requested from, there is no indication,
> that it is
> fetched by a proxy. There could be severe legal trouble if someone
> abuses
> our open proxy to do something illegal as we have no way to prove
> otherwise.
>
> So my idea was to whitelist the domains from which the proxy will
> fetch
> content.
>
> Best Regards
>
> Karsten Beyer
>
> On Fri, Jul 11, 2008 at 2:19 PM, Ropu <ro...@gmail.com> wrote:
>
>> U can try adding the ip the the Security Token too.
>>
>> ropu
>>
>> On Fri, Jul 11, 2008 at 6:20 AM, Karsten Beyer <ma...@kbeyer.net>
>> wrote:
>>
>>> Hi,
>>>
>>> what is the suggested strategy to prevent abuse of the open proxy at
>>> /gadgets/proxy? I found some old discussions from february about
>>> adding
>> the
>>> IP address of the user as HTTP header. Some testing however showed
>>> that
>> this
>>> is not yet implemented.
>>>
>>> Are there any plans to implement some kind of whitelist feature?
>>> More
>>> importantly: Are there any reasons against implementing such a
>>> feature?
>>>
>>>
>>> Best Regards,
>>>
>>> Karsten Beyer
>>> mail@kbeyer.net
>>>
>>>
>>>
>>>
>>
>>
>> --
>> .-. --- .--. ..-
>> R o p u
>>
Re: How to prevent abuse of the proxy
Posted by Karsten Beyer <ma...@kbeyer.net>.
Hi,
i don't understand. The proxy is even delivering pages when there is no
security token at all. e.g.
http://shindig.mydomain/gadgets/proxy?url=google.com
At the server the page is requested from, there is no indication, that it is
fetched by a proxy. There could be severe legal trouble if someone abuses
our open proxy to do something illegal as we have no way to prove otherwise.
So my idea was to whitelist the domains from which the proxy will fetch
content.
Best Regards
Karsten Beyer
On Fri, Jul 11, 2008 at 2:19 PM, Ropu <ro...@gmail.com> wrote:
> U can try adding the ip the the Security Token too.
>
> ropu
>
> On Fri, Jul 11, 2008 at 6:20 AM, Karsten Beyer <ma...@kbeyer.net> wrote:
>
> > Hi,
> >
> > what is the suggested strategy to prevent abuse of the open proxy at
> > /gadgets/proxy? I found some old discussions from february about adding
> the
> > IP address of the user as HTTP header. Some testing however showed that
> this
> > is not yet implemented.
> >
> > Are there any plans to implement some kind of whitelist feature? More
> > importantly: Are there any reasons against implementing such a feature?
> >
> >
> > Best Regards,
> >
> > Karsten Beyer
> > mail@kbeyer.net
> >
> >
> >
> >
>
>
> --
> .-. --- .--. ..-
> R o p u
>
Re: How to prevent abuse of the proxy
Posted by Ropu <ro...@gmail.com>.
U can try adding the ip the the Security Token too.
ropu
On Fri, Jul 11, 2008 at 6:20 AM, Karsten Beyer <ma...@kbeyer.net> wrote:
> Hi,
>
> what is the suggested strategy to prevent abuse of the open proxy at
> /gadgets/proxy? I found some old discussions from february about adding the
> IP address of the user as HTTP header. Some testing however showed that this
> is not yet implemented.
>
> Are there any plans to implement some kind of whitelist feature? More
> importantly: Are there any reasons against implementing such a feature?
>
>
> Best Regards,
>
> Karsten Beyer
> mail@kbeyer.net
>
>
>
>
--
.-. --- .--. ..-
R o p u
Re: How to prevent abuse of the proxy
Posted by Kevin Brown <et...@google.com>.
On Wed, Jul 16, 2008 at 1:58 PM, Chris Chabot <ch...@xs4all.nl> wrote:
> So how does it prevent the use of the proxy as a 'free Akamai' when people
> can use it for their images/etc?
It doesn't help with this if the images are embedded in another page (though
a simple referrer blacklist can help here), but it avoids people sending
links to large images around.
The main purpose is to prevent phishing though, and it does a pretty good
job of that.
Implementing a whitelist of trusted remote hosts is really the ideal
solution, but it doesn't scale that well (if you support xx thousand
gadgets, you're not going to be able to whitelist all the remote urls).
>
>
> On Jul 16, 2008, at 10:52 PM, Kevin Brown wrote:
>
> Yes, it works under that use case. Sending it as an attachment does not
>> interfere with legitimate use of the proxy as it does not impact img,
>> object, embed, script, or link elements or style sheet imports.
>>
>> On Wed, Jul 16, 2008 at 1:46 PM, Ropu <ro...@gmail.com> wrote:
>>
>> hi
>>>
>>> i have a question.
>>>
>>> will sending proxy results as attachment work with this example?
>>> *
>>> Let the container cache your dynamic content*
>>> http://code.google.com/apis/opensocial/articles/latency/#dynamic
>>>
>>> The gadgets.io.getProxyUrl function will return the location of the
>>> cached
>>> version of the URL you provide, including images, JavaScript, and CSS. So
>>> instead of using the URL of content hosted on your server, like this:
>>>
>>> function showImage() {
>>> imgUrl = 'http://www.example.com/i_heart_apis_sm.png';
>>> html = ['<img src="', imgUrl, '">'];
>>> document.getElementById('dom_handle').innerHTML = html.join('');
>>> };
>>>
>>> showImage();
>>>
>>> you can use the URL of the cached content, like this:
>>>
>>> function showImage() {
>>> imgUrl = 'http://www.example.com/i_heart_apis_sm.png';
>>> *cachedUrl = gadgets.io.getProxyUrl(imgUrl);*
>>> html = ['<img src="', *cachedUrl*, '">'];
>>> document.getElementById('dom_handle').innerHTML = html.join('');
>>> };
>>>
>>>
>>> showImage();
>>>
>>>
>>>
>>> if so, its preventing "free akamai"or phishing?
>>>
>>> said this, or the example is wrong (and we are limiting functionality) or
>>> the solution is partial (or im completely mixed up :P)
>>>
>>> ropu
>>>
>>> On Fri, Jul 11, 2008 at 2:45 PM, Kevin Brown <et...@google.com> wrote:
>>>
>>> On Fri, Jul 11, 2008 at 2:20 AM, Karsten Beyer <ma...@kbeyer.net> wrote:
>>>>
>>>> Hi,
>>>>>
>>>>> what is the suggested strategy to prevent abuse of the open proxy at
>>>>> /gadgets/proxy? I found some old discussions from february about adding
>>>>>
>>>> the
>>>>
>>>>> IP address of the user as HTTP header. Some testing however showed that
>>>>>
>>>> this
>>>>
>>>>> is not yet implemented.
>>>>>
>>>>> Are there any plans to implement some kind of whitelist feature? More
>>>>> importantly: Are there any reasons against implementing such a feature?
>>>>>
>>>>
>>>>
>>>> You could always add a whitelist for outbound requests, but you'd have
>>>> to
>>>> do
>>>> a custom http fetcher implementation.
>>>>
>>>> The java version is currently returning all proxied files as
>>>> attachments,
>>>> which has helped significantly with reducing the potential of
>>>> /gadgets/proxy
>>>> as a phishing vector or free Akamai.
>>>>
>>>>
>>>>
>>>>>
>>>>>
>>>>> Best Regards,
>>>>>
>>>>> Karsten Beyer
>>>>> mail@kbeyer.net
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>
>>>
>>>
>>> --
>>> .-. --- .--. ..-
>>> R o p u
>>>
>>>
>
Re: How to prevent abuse of the proxy
Posted by Kevin Brown <et...@google.com>.
On Wed, Jul 16, 2008 at 2:27 PM, Emilio Daniel González <em...@gmail.com>
wrote:
> So, if I were a bad guy, can I copy all Internet into the proxy?! =P
It's a proxy and therefore isn't really inherently any more dangerous than
any other proxy out there. The only real concern was that, since it can be
viewed through a browser pointing at the originating host, it can be used as
a phishing vector. If you do a whois on gmodules.com, for instance, you'll
see that it's owned by Google, and you might not think twice about entering
your user name and password. That's bad.
>
> On Wed, Jul 16, 2008 at 6:07 PM, Kevin Brown <et...@google.com> wrote:
> >
> > On Wed, Jul 16, 2008 at 2:03 PM, Emilio Daniel González <
> emdagon@gmail.com>
> > wrote:
> >
> > > btw, why all the files that pass through the proxy are named as
> "p.txt"?
> > > it's a convention or what?
> >
> >
> > the "p" is arbitrary (it stands for proxy). The .txt extension generally
> > causes the file to be opened in a text editor rather than the web browser
> > (either that or the user gets a download dialog). Most other extensions
> > would be loaded in the browser (making the technique ineffective) or
> blocked
> > by security software.
> >
> >
> > >
> > > On Wed, Jul 16, 2008 at 5:58 PM, Chris Chabot <ch...@xs4all.nl>
> wrote:
> > >
> > > > So how does it prevent the use of the proxy as a 'free Akamai' when
> > > people
> > > > can use it for their images/etc?
> > > >
> > > >
> > > > On Jul 16, 2008, at 10:52 PM, Kevin Brown wrote:
> > > >
> > > > Yes, it works under that use case. Sending it as an attachment does
> not
> > > >> interfere with legitimate use of the proxy as it does not impact
> img,
> > > >> object, embed, script, or link elements or style sheet imports.
> > > >>
> > > >> On Wed, Jul 16, 2008 at 1:46 PM, Ropu <ro...@gmail.com> wrote:
> > > >>
> > > >> hi
> > > >>>
> > > >>> i have a question.
> > > >>>
> > > >>> will sending proxy results as attachment work with this example?
> > > >>> *
> > > >>> Let the container cache your dynamic content*
> > > >>> http://code.google.com/apis/opensocial/articles/latency/#dynamic
> > > >>>
> > > >>> The gadgets.io.getProxyUrl function will return the location of the
> > > >>> cached
> > > >>> version of the URL you provide, including images, JavaScript, and
> CSS.
> > > So
> > > >>> instead of using the URL of content hosted on your server, like
> this:
> > > >>>
> > > >>> function showImage() {
> > > >>> imgUrl = 'http://www.example.com/i_heart_apis_sm.png';
> > > >>> html = ['<img src="', imgUrl, '">'];
> > > >>> document.getElementById('dom_handle').innerHTML = html.join('');
> > > >>> };
> > > >>>
> > > >>> showImage();
> > > >>>
> > > >>> you can use the URL of the cached content, like this:
> > > >>>
> > > >>> function showImage() {
> > > >>> imgUrl = 'http://www.example.com/i_heart_apis_sm.png';
> > > >>> *cachedUrl = gadgets.io.getProxyUrl(imgUrl);*
> > > >>> html = ['<img src="', *cachedUrl*, '">'];
> > > >>> document.getElementById('dom_handle').innerHTML = html.join('');
> > > >>> };
> > > >>>
> > > >>>
> > > >>> showImage();
> > > >>>
> > > >>>
> > > >>>
> > > >>> if so, its preventing "free akamai"or phishing?
> > > >>>
> > > >>> said this, or the example is wrong (and we are limiting
> functionality)
> > > or
> > > >>> the solution is partial (or im completely mixed up :P)
> > > >>>
> > > >>> ropu
> > > >>>
> > > >>> On Fri, Jul 11, 2008 at 2:45 PM, Kevin Brown <et...@google.com>
> wrote:
> > > >>>
> > > >>> On Fri, Jul 11, 2008 at 2:20 AM, Karsten Beyer <ma...@kbeyer.net>
> > > wrote:
> > > >>>>
> > > >>>> Hi,
> > > >>>>>
> > > >>>>> what is the suggested strategy to prevent abuse of the open proxy
> at
> > > >>>>> /gadgets/proxy? I found some old discussions from february about
> > > adding
> > > >>>>>
> > > >>>> the
> > > >>>>
> > > >>>>> IP address of the user as HTTP header. Some testing however
> showed
> > > that
> > > >>>>>
> > > >>>> this
> > > >>>>
> > > >>>>> is not yet implemented.
> > > >>>>>
> > > >>>>> Are there any plans to implement some kind of whitelist feature?
> More
> > > >>>>> importantly: Are there any reasons against implementing such a
> > > feature?
> > > >>>>>
> > > >>>>
> > > >>>>
> > > >>>> You could always add a whitelist for outbound requests, but you'd
> have
> > > >>>> to
> > > >>>> do
> > > >>>> a custom http fetcher implementation.
> > > >>>>
> > > >>>> The java version is currently returning all proxied files as
> > > >>>> attachments,
> > > >>>> which has helped significantly with reducing the potential of
> > > >>>> /gadgets/proxy
> > > >>>> as a phishing vector or free Akamai.
> > > >>>>
> > > >>>>
> > > >>>>
> > > >>>>>
> > > >>>>>
> > > >>>>> Best Regards,
> > > >>>>>
> > > >>>>> Karsten Beyer
> > > >>>>> mail@kbeyer.net
> > > >>>>>
> > > >>>>>
> > > >>>>>
> > > >>>>>
> > > >>>>>
> > > >>>>
> > > >>>
> > > >>>
> > > >>> --
> > > >>> .-. --- .--. ..-
> > > >>> R o p u
> > > >>>
> > > >>>
> > > >
> > >
>
Re: How to prevent abuse of the proxy
Posted by Kevin Brown <et...@google.com>.
On Thu, Jul 17, 2008 at 1:24 AM, Chris Chabot <ch...@xs4all.nl> wrote:
> See i think the main difference is that people who have much smaller
> containers, limited bandwidth and limited cash might be more worried about a
> bandwidth hit then say, a google would be :)
Indeed, and those smaller containers probably don't have as many gadgets to
deal with, and as such a whitelisting approach may work out just fine.
Whiteisting the urls for a few hundred gadgets isn't too bad, it's when you
have to deal with them for several thousand that it becomes problematic.
>
> On Jul 17, 2008, at 2:55 AM, Kevin Brown wrote:
>
> We just blacklist certain urls and certain referrers on gmodules.com. We
>> haven't really had any issue with that scheme, and we're a pretty big
>> target
>> for exploits.
>>
>> On Wed, Jul 16, 2008 at 2:45 PM, Chris Chabot <ch...@xs4all.nl> wrote:
>>
>> Some might feel the same ... adding a security token to all the proxy
>>> requests or checking referrers etc has been added as a possible solution
>>> to
>>> reduce the risk a bit but so far hasn't gotten a lot of traction.
>>>
>>>
>>> On Jul 16, 2008, at 11:39 PM, Emilio Daniel González wrote:
>>>
>>> That is abuse! I thing...
>>>
>>>>
>>>> On Wed, Jul 16, 2008 at 6:34 PM, Chris Chabot <ch...@xs4all.nl>
>>>> wrote:
>>>>
>>>> Well what you -could- do is create a site, and host all the 'images'
>>>>> (lets
>>>>> pretend this does not involve scantly dressed people) on the pages on
>>>>> img
>>>>> src="http://shindig/proxy?url=http://myhost.com/some/image.gif" /> ...
>>>>> and
>>>>> thus offloading most of the bandwidth used to the proxy instead of the
>>>>> originating site.
>>>>>
>>>>>
>>>>>
>>>>> On Jul 16, 2008, at 11:27 PM, Emilio Daniel González wrote:
>>>>>
>>>>> So, if I were a bad guy, can I copy all Internet into the proxy?! =P
>>>>>
>>>>>>
>>>>>> On Wed, Jul 16, 2008 at 6:07 PM, Kevin Brown <et...@google.com> wrote:
>>>>>>
>>>>>>
>>>>>>> On Wed, Jul 16, 2008 at 2:03 PM, Emilio Daniel González
>>>>>>> <em...@gmail.com>
>>>>>>> wrote:
>>>>>>>
>>>>>>> btw, why all the files that pass through the proxy are named as
>>>>>>>
>>>>>>>> "p.txt"?
>>>>>>>> it's a convention or what?
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>> the "p" is arbitrary (it stands for proxy). The .txt extension
>>>>>>> generally
>>>>>>> causes the file to be opened in a text editor rather than the web
>>>>>>> browser
>>>>>>> (either that or the user gets a download dialog). Most other
>>>>>>> extensions
>>>>>>> would be loaded in the browser (making the technique ineffective) or
>>>>>>> blocked
>>>>>>> by security software.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> On Wed, Jul 16, 2008 at 5:58 PM, Chris Chabot <ch...@xs4all.nl>
>>>>>>>> wrote:
>>>>>>>>
>>>>>>>> So how does it prevent the use of the proxy as a 'free Akamai' when
>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>> people
>>>>>>>>
>>>>>>>>
>>>>>>>>> can use it for their images/etc?
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> On Jul 16, 2008, at 10:52 PM, Kevin Brown wrote:
>>>>>>>>>
>>>>>>>>> Yes, it works under that use case. Sending it as an attachment does
>>>>>>>>> not
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>> interfere with legitimate use of the proxy as it does not impact
>>>>>>>>>> img,
>>>>>>>>>> object, embed, script, or link elements or style sheet imports.
>>>>>>>>>>
>>>>>>>>>> On Wed, Jul 16, 2008 at 1:46 PM, Ropu <ro...@gmail.com>
>>>>>>>>>> wrote:
>>>>>>>>>>
>>>>>>>>>> hi
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>> i have a question.
>>>>>>>>>>>
>>>>>>>>>>> will sending proxy results as attachment work with this example?
>>>>>>>>>>> *
>>>>>>>>>>> Let the container cache your dynamic content*
>>>>>>>>>>> http://code.google.com/apis/opensocial/articles/latency/#dynamic
>>>>>>>>>>>
>>>>>>>>>>> The gadgets.io.getProxyUrl function will return the location of
>>>>>>>>>>> the
>>>>>>>>>>> cached
>>>>>>>>>>> version of the URL you provide, including images, JavaScript, and
>>>>>>>>>>> CSS.
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>> So
>>>>>>>>
>>>>>>>>
>>>>>>>>> instead of using the URL of content hosted on your server, like
>>>>>>>>>>> this:
>>>>>>>>>>>
>>>>>>>>>>> function showImage() {
>>>>>>>>>>> imgUrl = 'http://www.example.com/i_heart_apis_sm.png';
>>>>>>>>>>> html = ['<img src="', imgUrl, '">'];
>>>>>>>>>>> document.getElementById('dom_handle').innerHTML = html.join('');
>>>>>>>>>>> };
>>>>>>>>>>>
>>>>>>>>>>> showImage();
>>>>>>>>>>>
>>>>>>>>>>> you can use the URL of the cached content, like this:
>>>>>>>>>>>
>>>>>>>>>>> function showImage() {
>>>>>>>>>>> imgUrl = 'http://www.example.com/i_heart_apis_sm.png';
>>>>>>>>>>> *cachedUrl = gadgets.io.getProxyUrl(imgUrl);*
>>>>>>>>>>> html = ['<img src="', *cachedUrl*, '">'];
>>>>>>>>>>> document.getElementById('dom_handle').innerHTML = html.join('');
>>>>>>>>>>> };
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> showImage();
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> if so, its preventing "free akamai"or phishing?
>>>>>>>>>>>
>>>>>>>>>>> said this, or the example is wrong (and we are limiting
>>>>>>>>>>> functionality)
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>> or
>>>>>>>>
>>>>>>>>
>>>>>>>>> the solution is partial (or im completely mixed up :P)
>>>>>>>>>>>
>>>>>>>>>>> ropu
>>>>>>>>>>>
>>>>>>>>>>> On Fri, Jul 11, 2008 at 2:45 PM, Kevin Brown <et...@google.com>
>>>>>>>>>>> wrote:
>>>>>>>>>>>
>>>>>>>>>>> On Fri, Jul 11, 2008 at 2:20 AM, Karsten Beyer <ma...@kbeyer.net>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>> wrote:
>>>>>>>>
>>>>>>>>
>>>>>>>>> Hi,
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>> what is the suggested strategy to prevent abuse of the open
>>>>>>>>>>>>> proxy
>>>>>>>>>>>>> at
>>>>>>>>>>>>> /gadgets/proxy? I found some old discussions from february
>>>>>>>>>>>>> about
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>> adding
>>>>>>>>
>>>>>>>>
>>>>>>>>> the
>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> IP address of the user as HTTP header. Some testing however
>>>>>>>>>>>>
>>>>>>>>>>>>> showed
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>> that
>>>>>>>>
>>>>>>>>
>>>>>>>>> this
>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> is not yet implemented.
>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> Are there any plans to implement some kind of whitelist
>>>>>>>>>>>>> feature?
>>>>>>>>>>>>> More
>>>>>>>>>>>>> importantly: Are there any reasons against implementing such a
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>> feature?
>>>>>>>>
>>>>>>>>
>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>> You could always add a whitelist for outbound requests, but
>>>>>>>>>>>> you'd
>>>>>>>>>>>> have
>>>>>>>>>>>> to
>>>>>>>>>>>> do
>>>>>>>>>>>> a custom http fetcher implementation.
>>>>>>>>>>>>
>>>>>>>>>>>> The java version is currently returning all proxied files as
>>>>>>>>>>>> attachments,
>>>>>>>>>>>> which has helped significantly with reducing the potential of
>>>>>>>>>>>> /gadgets/proxy
>>>>>>>>>>>> as a phishing vector or free Akamai.
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>> Best Regards,
>>>>>>>>>>>>>
>>>>>>>>>>>>> Karsten Beyer
>>>>>>>>>>>>> mail@kbeyer.net
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>> --
>>>>>>>>>>> .-. --- .--. ..-
>>>>>>>>>>> R o p u
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>
>>>>>
>>>
>
Re: How to prevent abuse of the proxy
Posted by Chris Chabot <ch...@xs4all.nl>.
See i think the main difference is that people who have much smaller
containers, limited bandwidth and limited cash might be more worried
about a bandwidth hit then say, a google would be :)
On Jul 17, 2008, at 2:55 AM, Kevin Brown wrote:
> We just blacklist certain urls and certain referrers on
> gmodules.com. We
> haven't really had any issue with that scheme, and we're a pretty
> big target
> for exploits.
>
> On Wed, Jul 16, 2008 at 2:45 PM, Chris Chabot <ch...@xs4all.nl>
> wrote:
>
>> Some might feel the same ... adding a security token to all the proxy
>> requests or checking referrers etc has been added as a possible
>> solution to
>> reduce the risk a bit but so far hasn't gotten a lot of traction.
>>
>>
>> On Jul 16, 2008, at 11:39 PM, Emilio Daniel González wrote:
>>
>> That is abuse! I thing...
>>>
>>> On Wed, Jul 16, 2008 at 6:34 PM, Chris Chabot <ch...@xs4all.nl>
>>> wrote:
>>>
>>>> Well what you -could- do is create a site, and host all the
>>>> 'images'
>>>> (lets
>>>> pretend this does not involve scantly dressed people) on the
>>>> pages on img
>>>> src="http://shindig/proxy?url=http://myhost.com/some/image.gif" /
>>>> > ...
>>>> and
>>>> thus offloading most of the bandwidth used to the proxy instead
>>>> of the
>>>> originating site.
>>>>
>>>>
>>>>
>>>> On Jul 16, 2008, at 11:27 PM, Emilio Daniel González wrote:
>>>>
>>>> So, if I were a bad guy, can I copy all Internet into the proxy?!
>>>> =P
>>>>>
>>>>> On Wed, Jul 16, 2008 at 6:07 PM, Kevin Brown <et...@google.com>
>>>>> wrote:
>>>>>
>>>>>>
>>>>>> On Wed, Jul 16, 2008 at 2:03 PM, Emilio Daniel González
>>>>>> <em...@gmail.com>
>>>>>> wrote:
>>>>>>
>>>>>> btw, why all the files that pass through the proxy are named as
>>>>>>> "p.txt"?
>>>>>>> it's a convention or what?
>>>>>>>
>>>>>>
>>>>>>
>>>>>> the "p" is arbitrary (it stands for proxy). The .txt extension
>>>>>> generally
>>>>>> causes the file to be opened in a text editor rather than the web
>>>>>> browser
>>>>>> (either that or the user gets a download dialog). Most other
>>>>>> extensions
>>>>>> would be loaded in the browser (making the technique
>>>>>> ineffective) or
>>>>>> blocked
>>>>>> by security software.
>>>>>>
>>>>>>
>>>>>>
>>>>>>> On Wed, Jul 16, 2008 at 5:58 PM, Chris Chabot
>>>>>>> <ch...@xs4all.nl>
>>>>>>> wrote:
>>>>>>>
>>>>>>> So how does it prevent the use of the proxy as a 'free Akamai'
>>>>>>> when
>>>>>>>>
>>>>>>>
>>>>>>> people
>>>>>>>
>>>>>>>>
>>>>>>>> can use it for their images/etc?
>>>>>>>>
>>>>>>>>
>>>>>>>> On Jul 16, 2008, at 10:52 PM, Kevin Brown wrote:
>>>>>>>>
>>>>>>>> Yes, it works under that use case. Sending it as an
>>>>>>>> attachment does
>>>>>>>> not
>>>>>>>>
>>>>>>>>>
>>>>>>>>> interfere with legitimate use of the proxy as it does not
>>>>>>>>> impact
>>>>>>>>> img,
>>>>>>>>> object, embed, script, or link elements or style sheet
>>>>>>>>> imports.
>>>>>>>>>
>>>>>>>>> On Wed, Jul 16, 2008 at 1:46 PM, Ropu <ro...@gmail.com>
>>>>>>>>> wrote:
>>>>>>>>>
>>>>>>>>> hi
>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> i have a question.
>>>>>>>>>>
>>>>>>>>>> will sending proxy results as attachment work with this
>>>>>>>>>> example?
>>>>>>>>>> *
>>>>>>>>>> Let the container cache your dynamic content*
>>>>>>>>>> http://code.google.com/apis/opensocial/articles/latency/#dynamic
>>>>>>>>>>
>>>>>>>>>> The gadgets.io.getProxyUrl function will return the
>>>>>>>>>> location of the
>>>>>>>>>> cached
>>>>>>>>>> version of the URL you provide, including images,
>>>>>>>>>> JavaScript, and
>>>>>>>>>> CSS.
>>>>>>>>>>
>>>>>>>>>
>>>>>>> So
>>>>>>>
>>>>>>>>
>>>>>>>>>> instead of using the URL of content hosted on your server,
>>>>>>>>>> like
>>>>>>>>>> this:
>>>>>>>>>>
>>>>>>>>>> function showImage() {
>>>>>>>>>> imgUrl = 'http://www.example.com/i_heart_apis_sm.png';
>>>>>>>>>> html = ['<img src="', imgUrl, '">'];
>>>>>>>>>> document.getElementById('dom_handle').innerHTML =
>>>>>>>>>> html.join('');
>>>>>>>>>> };
>>>>>>>>>>
>>>>>>>>>> showImage();
>>>>>>>>>>
>>>>>>>>>> you can use the URL of the cached content, like this:
>>>>>>>>>>
>>>>>>>>>> function showImage() {
>>>>>>>>>> imgUrl = 'http://www.example.com/i_heart_apis_sm.png';
>>>>>>>>>> *cachedUrl = gadgets.io.getProxyUrl(imgUrl);*
>>>>>>>>>> html = ['<img src="', *cachedUrl*, '">'];
>>>>>>>>>> document.getElementById('dom_handle').innerHTML =
>>>>>>>>>> html.join('');
>>>>>>>>>> };
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> showImage();
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> if so, its preventing "free akamai"or phishing?
>>>>>>>>>>
>>>>>>>>>> said this, or the example is wrong (and we are limiting
>>>>>>>>>> functionality)
>>>>>>>>>>
>>>>>>>>>
>>>>>>> or
>>>>>>>
>>>>>>>>
>>>>>>>>>> the solution is partial (or im completely mixed up :P)
>>>>>>>>>>
>>>>>>>>>> ropu
>>>>>>>>>>
>>>>>>>>>> On Fri, Jul 11, 2008 at 2:45 PM, Kevin Brown
>>>>>>>>>> <et...@google.com>
>>>>>>>>>> wrote:
>>>>>>>>>>
>>>>>>>>>> On Fri, Jul 11, 2008 at 2:20 AM, Karsten Beyer <mail@kbeyer.net
>>>>>>>>>> >
>>>>>>>>>>
>>>>>>>>>
>>>>>>> wrote:
>>>>>>>
>>>>>>>>
>>>>>>>>>>> Hi,
>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> what is the suggested strategy to prevent abuse of the
>>>>>>>>>>>> open proxy
>>>>>>>>>>>> at
>>>>>>>>>>>> /gadgets/proxy? I found some old discussions from
>>>>>>>>>>>> february about
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>> adding
>>>>>>>
>>>>>>>>
>>>>>>>>>>>> the
>>>>>>>>>>>
>>>>>>>>>>> IP address of the user as HTTP header. Some testing however
>>>>>>>>>>>> showed
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>> that
>>>>>>>
>>>>>>>>
>>>>>>>>>>>> this
>>>>>>>>>>>
>>>>>>>>>>> is not yet implemented.
>>>>>>>>>>>>
>>>>>>>>>>>> Are there any plans to implement some kind of whitelist
>>>>>>>>>>>> feature?
>>>>>>>>>>>> More
>>>>>>>>>>>> importantly: Are there any reasons against implementing
>>>>>>>>>>>> such a
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>> feature?
>>>>>>>
>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> You could always add a whitelist for outbound requests,
>>>>>>>>>>> but you'd
>>>>>>>>>>> have
>>>>>>>>>>> to
>>>>>>>>>>> do
>>>>>>>>>>> a custom http fetcher implementation.
>>>>>>>>>>>
>>>>>>>>>>> The java version is currently returning all proxied files as
>>>>>>>>>>> attachments,
>>>>>>>>>>> which has helped significantly with reducing the potential
>>>>>>>>>>> of
>>>>>>>>>>> /gadgets/proxy
>>>>>>>>>>> as a phishing vector or free Akamai.
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> Best Regards,
>>>>>>>>>>>>
>>>>>>>>>>>> Karsten Beyer
>>>>>>>>>>>> mail@kbeyer.net
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> --
>>>>>>>>>> .-. --- .--. ..-
>>>>>>>>>> R o p u
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>
>>>>
>>
Re: How to prevent abuse of the proxy
Posted by Kevin Brown <et...@google.com>.
We just blacklist certain urls and certain referrers on gmodules.com. We
haven't really had any issue with that scheme, and we're a pretty big target
for exploits.
On Wed, Jul 16, 2008 at 2:45 PM, Chris Chabot <ch...@xs4all.nl> wrote:
> Some might feel the same ... adding a security token to all the proxy
> requests or checking referrers etc has been added as a possible solution to
> reduce the risk a bit but so far hasn't gotten a lot of traction.
>
>
> On Jul 16, 2008, at 11:39 PM, Emilio Daniel González wrote:
>
> That is abuse! I thing...
>>
>> On Wed, Jul 16, 2008 at 6:34 PM, Chris Chabot <ch...@xs4all.nl> wrote:
>>
>>> Well what you -could- do is create a site, and host all the 'images'
>>> (lets
>>> pretend this does not involve scantly dressed people) on the pages on img
>>> src="http://shindig/proxy?url=http://myhost.com/some/image.gif" /> ...
>>> and
>>> thus offloading most of the bandwidth used to the proxy instead of the
>>> originating site.
>>>
>>>
>>>
>>> On Jul 16, 2008, at 11:27 PM, Emilio Daniel González wrote:
>>>
>>> So, if I were a bad guy, can I copy all Internet into the proxy?! =P
>>>>
>>>> On Wed, Jul 16, 2008 at 6:07 PM, Kevin Brown <et...@google.com> wrote:
>>>>
>>>>>
>>>>> On Wed, Jul 16, 2008 at 2:03 PM, Emilio Daniel González
>>>>> <em...@gmail.com>
>>>>> wrote:
>>>>>
>>>>> btw, why all the files that pass through the proxy are named as
>>>>>> "p.txt"?
>>>>>> it's a convention or what?
>>>>>>
>>>>>
>>>>>
>>>>> the "p" is arbitrary (it stands for proxy). The .txt extension
>>>>> generally
>>>>> causes the file to be opened in a text editor rather than the web
>>>>> browser
>>>>> (either that or the user gets a download dialog). Most other extensions
>>>>> would be loaded in the browser (making the technique ineffective) or
>>>>> blocked
>>>>> by security software.
>>>>>
>>>>>
>>>>>
>>>>>> On Wed, Jul 16, 2008 at 5:58 PM, Chris Chabot <ch...@xs4all.nl>
>>>>>> wrote:
>>>>>>
>>>>>> So how does it prevent the use of the proxy as a 'free Akamai' when
>>>>>>>
>>>>>>
>>>>>> people
>>>>>>
>>>>>>>
>>>>>>> can use it for their images/etc?
>>>>>>>
>>>>>>>
>>>>>>> On Jul 16, 2008, at 10:52 PM, Kevin Brown wrote:
>>>>>>>
>>>>>>> Yes, it works under that use case. Sending it as an attachment does
>>>>>>> not
>>>>>>>
>>>>>>>>
>>>>>>>> interfere with legitimate use of the proxy as it does not impact
>>>>>>>> img,
>>>>>>>> object, embed, script, or link elements or style sheet imports.
>>>>>>>>
>>>>>>>> On Wed, Jul 16, 2008 at 1:46 PM, Ropu <ro...@gmail.com> wrote:
>>>>>>>>
>>>>>>>> hi
>>>>>>>>
>>>>>>>>>
>>>>>>>>> i have a question.
>>>>>>>>>
>>>>>>>>> will sending proxy results as attachment work with this example?
>>>>>>>>> *
>>>>>>>>> Let the container cache your dynamic content*
>>>>>>>>> http://code.google.com/apis/opensocial/articles/latency/#dynamic
>>>>>>>>>
>>>>>>>>> The gadgets.io.getProxyUrl function will return the location of the
>>>>>>>>> cached
>>>>>>>>> version of the URL you provide, including images, JavaScript, and
>>>>>>>>> CSS.
>>>>>>>>>
>>>>>>>>
>>>>>> So
>>>>>>
>>>>>>>
>>>>>>>>> instead of using the URL of content hosted on your server, like
>>>>>>>>> this:
>>>>>>>>>
>>>>>>>>> function showImage() {
>>>>>>>>> imgUrl = 'http://www.example.com/i_heart_apis_sm.png';
>>>>>>>>> html = ['<img src="', imgUrl, '">'];
>>>>>>>>> document.getElementById('dom_handle').innerHTML = html.join('');
>>>>>>>>> };
>>>>>>>>>
>>>>>>>>> showImage();
>>>>>>>>>
>>>>>>>>> you can use the URL of the cached content, like this:
>>>>>>>>>
>>>>>>>>> function showImage() {
>>>>>>>>> imgUrl = 'http://www.example.com/i_heart_apis_sm.png';
>>>>>>>>> *cachedUrl = gadgets.io.getProxyUrl(imgUrl);*
>>>>>>>>> html = ['<img src="', *cachedUrl*, '">'];
>>>>>>>>> document.getElementById('dom_handle').innerHTML = html.join('');
>>>>>>>>> };
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> showImage();
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> if so, its preventing "free akamai"or phishing?
>>>>>>>>>
>>>>>>>>> said this, or the example is wrong (and we are limiting
>>>>>>>>> functionality)
>>>>>>>>>
>>>>>>>>
>>>>>> or
>>>>>>
>>>>>>>
>>>>>>>>> the solution is partial (or im completely mixed up :P)
>>>>>>>>>
>>>>>>>>> ropu
>>>>>>>>>
>>>>>>>>> On Fri, Jul 11, 2008 at 2:45 PM, Kevin Brown <et...@google.com>
>>>>>>>>> wrote:
>>>>>>>>>
>>>>>>>>> On Fri, Jul 11, 2008 at 2:20 AM, Karsten Beyer <ma...@kbeyer.net>
>>>>>>>>>
>>>>>>>>
>>>>>> wrote:
>>>>>>
>>>>>>>
>>>>>>>>>> Hi,
>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> what is the suggested strategy to prevent abuse of the open proxy
>>>>>>>>>>> at
>>>>>>>>>>> /gadgets/proxy? I found some old discussions from february about
>>>>>>>>>>>
>>>>>>>>>>
>>>>>> adding
>>>>>>
>>>>>>>
>>>>>>>>>>> the
>>>>>>>>>>
>>>>>>>>>> IP address of the user as HTTP header. Some testing however
>>>>>>>>>>> showed
>>>>>>>>>>>
>>>>>>>>>>
>>>>>> that
>>>>>>
>>>>>>>
>>>>>>>>>>> this
>>>>>>>>>>
>>>>>>>>>> is not yet implemented.
>>>>>>>>>>>
>>>>>>>>>>> Are there any plans to implement some kind of whitelist feature?
>>>>>>>>>>> More
>>>>>>>>>>> importantly: Are there any reasons against implementing such a
>>>>>>>>>>>
>>>>>>>>>>
>>>>>> feature?
>>>>>>
>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> You could always add a whitelist for outbound requests, but you'd
>>>>>>>>>> have
>>>>>>>>>> to
>>>>>>>>>> do
>>>>>>>>>> a custom http fetcher implementation.
>>>>>>>>>>
>>>>>>>>>> The java version is currently returning all proxied files as
>>>>>>>>>> attachments,
>>>>>>>>>> which has helped significantly with reducing the potential of
>>>>>>>>>> /gadgets/proxy
>>>>>>>>>> as a phishing vector or free Akamai.
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> Best Regards,
>>>>>>>>>>>
>>>>>>>>>>> Karsten Beyer
>>>>>>>>>>> mail@kbeyer.net
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>> --
>>>>>>>>> .-. --- .--. ..-
>>>>>>>>> R o p u
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>
>>>>>>
>>>
>>>
>
Re: How to prevent abuse of the proxy
Posted by Chris Chabot <ch...@xs4all.nl>.
Some might feel the same ... adding a security token to all the proxy
requests or checking referrers etc has been added as a possible
solution to reduce the risk a bit but so far hasn't gotten a lot of
traction.
On Jul 16, 2008, at 11:39 PM, Emilio Daniel González wrote:
> That is abuse! I thing...
>
> On Wed, Jul 16, 2008 at 6:34 PM, Chris Chabot <ch...@xs4all.nl>
> wrote:
>> Well what you -could- do is create a site, and host all the
>> 'images' (lets
>> pretend this does not involve scantly dressed people) on the pages
>> on img
>> src="http://shindig/proxy?url=http://myhost.com/some/image.gif" /
>> > ... and
>> thus offloading most of the bandwidth used to the proxy instead of
>> the
>> originating site.
>>
>>
>>
>> On Jul 16, 2008, at 11:27 PM, Emilio Daniel González wrote:
>>
>>> So, if I were a bad guy, can I copy all Internet into the proxy?! =P
>>>
>>> On Wed, Jul 16, 2008 at 6:07 PM, Kevin Brown <et...@google.com>
>>> wrote:
>>>>
>>>> On Wed, Jul 16, 2008 at 2:03 PM, Emilio Daniel González
>>>> <em...@gmail.com>
>>>> wrote:
>>>>
>>>>> btw, why all the files that pass through the proxy are named as
>>>>> "p.txt"?
>>>>> it's a convention or what?
>>>>
>>>>
>>>> the "p" is arbitrary (it stands for proxy). The .txt extension
>>>> generally
>>>> causes the file to be opened in a text editor rather than the web
>>>> browser
>>>> (either that or the user gets a download dialog). Most other
>>>> extensions
>>>> would be loaded in the browser (making the technique ineffective)
>>>> or
>>>> blocked
>>>> by security software.
>>>>
>>>>
>>>>>
>>>>> On Wed, Jul 16, 2008 at 5:58 PM, Chris Chabot
>>>>> <ch...@xs4all.nl> wrote:
>>>>>
>>>>>> So how does it prevent the use of the proxy as a 'free Akamai'
>>>>>> when
>>>>>
>>>>> people
>>>>>>
>>>>>> can use it for their images/etc?
>>>>>>
>>>>>>
>>>>>> On Jul 16, 2008, at 10:52 PM, Kevin Brown wrote:
>>>>>>
>>>>>> Yes, it works under that use case. Sending it as an attachment
>>>>>> does not
>>>>>>>
>>>>>>> interfere with legitimate use of the proxy as it does not
>>>>>>> impact img,
>>>>>>> object, embed, script, or link elements or style sheet imports.
>>>>>>>
>>>>>>> On Wed, Jul 16, 2008 at 1:46 PM, Ropu <ro...@gmail.com>
>>>>>>> wrote:
>>>>>>>
>>>>>>> hi
>>>>>>>>
>>>>>>>> i have a question.
>>>>>>>>
>>>>>>>> will sending proxy results as attachment work with this
>>>>>>>> example?
>>>>>>>> *
>>>>>>>> Let the container cache your dynamic content*
>>>>>>>> http://code.google.com/apis/opensocial/articles/latency/
>>>>>>>> #dynamic
>>>>>>>>
>>>>>>>> The gadgets.io.getProxyUrl function will return the location
>>>>>>>> of the
>>>>>>>> cached
>>>>>>>> version of the URL you provide, including images, JavaScript,
>>>>>>>> and
>>>>>>>> CSS.
>>>>>
>>>>> So
>>>>>>>>
>>>>>>>> instead of using the URL of content hosted on your server,
>>>>>>>> like this:
>>>>>>>>
>>>>>>>> function showImage() {
>>>>>>>> imgUrl = 'http://www.example.com/i_heart_apis_sm.png';
>>>>>>>> html = ['<img src="', imgUrl, '">'];
>>>>>>>> document.getElementById('dom_handle').innerHTML =
>>>>>>>> html.join('');
>>>>>>>> };
>>>>>>>>
>>>>>>>> showImage();
>>>>>>>>
>>>>>>>> you can use the URL of the cached content, like this:
>>>>>>>>
>>>>>>>> function showImage() {
>>>>>>>> imgUrl = 'http://www.example.com/i_heart_apis_sm.png';
>>>>>>>> *cachedUrl = gadgets.io.getProxyUrl(imgUrl);*
>>>>>>>> html = ['<img src="', *cachedUrl*, '">'];
>>>>>>>> document.getElementById('dom_handle').innerHTML =
>>>>>>>> html.join('');
>>>>>>>> };
>>>>>>>>
>>>>>>>>
>>>>>>>> showImage();
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> if so, its preventing "free akamai"or phishing?
>>>>>>>>
>>>>>>>> said this, or the example is wrong (and we are limiting
>>>>>>>> functionality)
>>>>>
>>>>> or
>>>>>>>>
>>>>>>>> the solution is partial (or im completely mixed up :P)
>>>>>>>>
>>>>>>>> ropu
>>>>>>>>
>>>>>>>> On Fri, Jul 11, 2008 at 2:45 PM, Kevin Brown
>>>>>>>> <et...@google.com> wrote:
>>>>>>>>
>>>>>>>> On Fri, Jul 11, 2008 at 2:20 AM, Karsten Beyer
>>>>>>>> <ma...@kbeyer.net>
>>>>>
>>>>> wrote:
>>>>>>>>>
>>>>>>>>> Hi,
>>>>>>>>>>
>>>>>>>>>> what is the suggested strategy to prevent abuse of the open
>>>>>>>>>> proxy
>>>>>>>>>> at
>>>>>>>>>> /gadgets/proxy? I found some old discussions from february
>>>>>>>>>> about
>>>>>
>>>>> adding
>>>>>>>>>>
>>>>>>>>> the
>>>>>>>>>
>>>>>>>>>> IP address of the user as HTTP header. Some testing however
>>>>>>>>>> showed
>>>>>
>>>>> that
>>>>>>>>>>
>>>>>>>>> this
>>>>>>>>>
>>>>>>>>>> is not yet implemented.
>>>>>>>>>>
>>>>>>>>>> Are there any plans to implement some kind of whitelist
>>>>>>>>>> feature?
>>>>>>>>>> More
>>>>>>>>>> importantly: Are there any reasons against implementing
>>>>>>>>>> such a
>>>>>
>>>>> feature?
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> You could always add a whitelist for outbound requests, but
>>>>>>>>> you'd
>>>>>>>>> have
>>>>>>>>> to
>>>>>>>>> do
>>>>>>>>> a custom http fetcher implementation.
>>>>>>>>>
>>>>>>>>> The java version is currently returning all proxied files as
>>>>>>>>> attachments,
>>>>>>>>> which has helped significantly with reducing the potential of
>>>>>>>>> /gadgets/proxy
>>>>>>>>> as a phishing vector or free Akamai.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> Best Regards,
>>>>>>>>>>
>>>>>>>>>> Karsten Beyer
>>>>>>>>>> mail@kbeyer.net
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> --
>>>>>>>> .-. --- .--. ..-
>>>>>>>> R o p u
>>>>>>>>
>>>>>>>>
>>>>>>
>>>>>
>>
>>
Re: How to prevent abuse of the proxy
Posted by Emilio Daniel González <em...@gmail.com>.
That is abuse! I thing...
On Wed, Jul 16, 2008 at 6:34 PM, Chris Chabot <ch...@xs4all.nl> wrote:
> Well what you -could- do is create a site, and host all the 'images' (lets
> pretend this does not involve scantly dressed people) on the pages on img
> src="http://shindig/proxy?url=http://myhost.com/some/image.gif" /> ... and
> thus offloading most of the bandwidth used to the proxy instead of the
> originating site.
>
>
>
> On Jul 16, 2008, at 11:27 PM, Emilio Daniel González wrote:
>
>> So, if I were a bad guy, can I copy all Internet into the proxy?! =P
>>
>> On Wed, Jul 16, 2008 at 6:07 PM, Kevin Brown <et...@google.com> wrote:
>>>
>>> On Wed, Jul 16, 2008 at 2:03 PM, Emilio Daniel González
>>> <em...@gmail.com>
>>> wrote:
>>>
>>>> btw, why all the files that pass through the proxy are named as "p.txt"?
>>>> it's a convention or what?
>>>
>>>
>>> the "p" is arbitrary (it stands for proxy). The .txt extension generally
>>> causes the file to be opened in a text editor rather than the web browser
>>> (either that or the user gets a download dialog). Most other extensions
>>> would be loaded in the browser (making the technique ineffective) or
>>> blocked
>>> by security software.
>>>
>>>
>>>>
>>>> On Wed, Jul 16, 2008 at 5:58 PM, Chris Chabot <ch...@xs4all.nl> wrote:
>>>>
>>>>> So how does it prevent the use of the proxy as a 'free Akamai' when
>>>>
>>>> people
>>>>>
>>>>> can use it for their images/etc?
>>>>>
>>>>>
>>>>> On Jul 16, 2008, at 10:52 PM, Kevin Brown wrote:
>>>>>
>>>>> Yes, it works under that use case. Sending it as an attachment does not
>>>>>>
>>>>>> interfere with legitimate use of the proxy as it does not impact img,
>>>>>> object, embed, script, or link elements or style sheet imports.
>>>>>>
>>>>>> On Wed, Jul 16, 2008 at 1:46 PM, Ropu <ro...@gmail.com> wrote:
>>>>>>
>>>>>> hi
>>>>>>>
>>>>>>> i have a question.
>>>>>>>
>>>>>>> will sending proxy results as attachment work with this example?
>>>>>>> *
>>>>>>> Let the container cache your dynamic content*
>>>>>>> http://code.google.com/apis/opensocial/articles/latency/#dynamic
>>>>>>>
>>>>>>> The gadgets.io.getProxyUrl function will return the location of the
>>>>>>> cached
>>>>>>> version of the URL you provide, including images, JavaScript, and
>>>>>>> CSS.
>>>>
>>>> So
>>>>>>>
>>>>>>> instead of using the URL of content hosted on your server, like this:
>>>>>>>
>>>>>>> function showImage() {
>>>>>>> imgUrl = 'http://www.example.com/i_heart_apis_sm.png';
>>>>>>> html = ['<img src="', imgUrl, '">'];
>>>>>>> document.getElementById('dom_handle').innerHTML = html.join('');
>>>>>>> };
>>>>>>>
>>>>>>> showImage();
>>>>>>>
>>>>>>> you can use the URL of the cached content, like this:
>>>>>>>
>>>>>>> function showImage() {
>>>>>>> imgUrl = 'http://www.example.com/i_heart_apis_sm.png';
>>>>>>> *cachedUrl = gadgets.io.getProxyUrl(imgUrl);*
>>>>>>> html = ['<img src="', *cachedUrl*, '">'];
>>>>>>> document.getElementById('dom_handle').innerHTML = html.join('');
>>>>>>> };
>>>>>>>
>>>>>>>
>>>>>>> showImage();
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> if so, its preventing "free akamai"or phishing?
>>>>>>>
>>>>>>> said this, or the example is wrong (and we are limiting
>>>>>>> functionality)
>>>>
>>>> or
>>>>>>>
>>>>>>> the solution is partial (or im completely mixed up :P)
>>>>>>>
>>>>>>> ropu
>>>>>>>
>>>>>>> On Fri, Jul 11, 2008 at 2:45 PM, Kevin Brown <et...@google.com> wrote:
>>>>>>>
>>>>>>> On Fri, Jul 11, 2008 at 2:20 AM, Karsten Beyer <ma...@kbeyer.net>
>>>>
>>>> wrote:
>>>>>>>>
>>>>>>>> Hi,
>>>>>>>>>
>>>>>>>>> what is the suggested strategy to prevent abuse of the open proxy
>>>>>>>>> at
>>>>>>>>> /gadgets/proxy? I found some old discussions from february about
>>>>
>>>> adding
>>>>>>>>>
>>>>>>>> the
>>>>>>>>
>>>>>>>>> IP address of the user as HTTP header. Some testing however showed
>>>>
>>>> that
>>>>>>>>>
>>>>>>>> this
>>>>>>>>
>>>>>>>>> is not yet implemented.
>>>>>>>>>
>>>>>>>>> Are there any plans to implement some kind of whitelist feature?
>>>>>>>>> More
>>>>>>>>> importantly: Are there any reasons against implementing such a
>>>>
>>>> feature?
>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> You could always add a whitelist for outbound requests, but you'd
>>>>>>>> have
>>>>>>>> to
>>>>>>>> do
>>>>>>>> a custom http fetcher implementation.
>>>>>>>>
>>>>>>>> The java version is currently returning all proxied files as
>>>>>>>> attachments,
>>>>>>>> which has helped significantly with reducing the potential of
>>>>>>>> /gadgets/proxy
>>>>>>>> as a phishing vector or free Akamai.
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Best Regards,
>>>>>>>>>
>>>>>>>>> Karsten Beyer
>>>>>>>>> mail@kbeyer.net
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>> .-. --- .--. ..-
>>>>>>> R o p u
>>>>>>>
>>>>>>>
>>>>>
>>>>
>
>
Re: How to prevent abuse of the proxy
Posted by Chris Chabot <ch...@xs4all.nl>.
Well what you -could- do is create a site, and host all the
'images' (lets pretend this does not involve scantly dressed people)
on the pages on img src="http://shindig/proxy?url=http://myhost.com/some/image.gif
" /> ... and thus offloading most of the bandwidth used to the proxy
instead of the originating site.
On Jul 16, 2008, at 11:27 PM, Emilio Daniel González wrote:
> So, if I were a bad guy, can I copy all Internet into the proxy?! =P
>
> On Wed, Jul 16, 2008 at 6:07 PM, Kevin Brown <et...@google.com> wrote:
>>
>> On Wed, Jul 16, 2008 at 2:03 PM, Emilio Daniel González <emdagon@gmail.com
>> >
>> wrote:
>>
>>> btw, why all the files that pass through the proxy are named as
>>> "p.txt"?
>>> it's a convention or what?
>>
>>
>> the "p" is arbitrary (it stands for proxy). The .txt extension
>> generally
>> causes the file to be opened in a text editor rather than the web
>> browser
>> (either that or the user gets a download dialog). Most other
>> extensions
>> would be loaded in the browser (making the technique ineffective)
>> or blocked
>> by security software.
>>
>>
>>>
>>> On Wed, Jul 16, 2008 at 5:58 PM, Chris Chabot <ch...@xs4all.nl>
>>> wrote:
>>>
>>>> So how does it prevent the use of the proxy as a 'free Akamai' when
>>> people
>>>> can use it for their images/etc?
>>>>
>>>>
>>>> On Jul 16, 2008, at 10:52 PM, Kevin Brown wrote:
>>>>
>>>> Yes, it works under that use case. Sending it as an attachment
>>>> does not
>>>>> interfere with legitimate use of the proxy as it does not impact
>>>>> img,
>>>>> object, embed, script, or link elements or style sheet imports.
>>>>>
>>>>> On Wed, Jul 16, 2008 at 1:46 PM, Ropu <ro...@gmail.com> wrote:
>>>>>
>>>>> hi
>>>>>>
>>>>>> i have a question.
>>>>>>
>>>>>> will sending proxy results as attachment work with this example?
>>>>>> *
>>>>>> Let the container cache your dynamic content*
>>>>>> http://code.google.com/apis/opensocial/articles/latency/#dynamic
>>>>>>
>>>>>> The gadgets.io.getProxyUrl function will return the location of
>>>>>> the
>>>>>> cached
>>>>>> version of the URL you provide, including images, JavaScript,
>>>>>> and CSS.
>>> So
>>>>>> instead of using the URL of content hosted on your server, like
>>>>>> this:
>>>>>>
>>>>>> function showImage() {
>>>>>> imgUrl = 'http://www.example.com/i_heart_apis_sm.png';
>>>>>> html = ['<img src="', imgUrl, '">'];
>>>>>> document.getElementById('dom_handle').innerHTML = html.join('');
>>>>>> };
>>>>>>
>>>>>> showImage();
>>>>>>
>>>>>> you can use the URL of the cached content, like this:
>>>>>>
>>>>>> function showImage() {
>>>>>> imgUrl = 'http://www.example.com/i_heart_apis_sm.png';
>>>>>> *cachedUrl = gadgets.io.getProxyUrl(imgUrl);*
>>>>>> html = ['<img src="', *cachedUrl*, '">'];
>>>>>> document.getElementById('dom_handle').innerHTML = html.join('');
>>>>>> };
>>>>>>
>>>>>>
>>>>>> showImage();
>>>>>>
>>>>>>
>>>>>>
>>>>>> if so, its preventing "free akamai"or phishing?
>>>>>>
>>>>>> said this, or the example is wrong (and we are limiting
>>>>>> functionality)
>>> or
>>>>>> the solution is partial (or im completely mixed up :P)
>>>>>>
>>>>>> ropu
>>>>>>
>>>>>> On Fri, Jul 11, 2008 at 2:45 PM, Kevin Brown <et...@google.com>
>>>>>> wrote:
>>>>>>
>>>>>> On Fri, Jul 11, 2008 at 2:20 AM, Karsten Beyer <ma...@kbeyer.net>
>>> wrote:
>>>>>>>
>>>>>>> Hi,
>>>>>>>>
>>>>>>>> what is the suggested strategy to prevent abuse of the open
>>>>>>>> proxy at
>>>>>>>> /gadgets/proxy? I found some old discussions from february
>>>>>>>> about
>>> adding
>>>>>>>>
>>>>>>> the
>>>>>>>
>>>>>>>> IP address of the user as HTTP header. Some testing however
>>>>>>>> showed
>>> that
>>>>>>>>
>>>>>>> this
>>>>>>>
>>>>>>>> is not yet implemented.
>>>>>>>>
>>>>>>>> Are there any plans to implement some kind of whitelist
>>>>>>>> feature? More
>>>>>>>> importantly: Are there any reasons against implementing such a
>>> feature?
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> You could always add a whitelist for outbound requests, but
>>>>>>> you'd have
>>>>>>> to
>>>>>>> do
>>>>>>> a custom http fetcher implementation.
>>>>>>>
>>>>>>> The java version is currently returning all proxied files as
>>>>>>> attachments,
>>>>>>> which has helped significantly with reducing the potential of
>>>>>>> /gadgets/proxy
>>>>>>> as a phishing vector or free Akamai.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> Best Regards,
>>>>>>>>
>>>>>>>> Karsten Beyer
>>>>>>>> mail@kbeyer.net
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>> .-. --- .--. ..-
>>>>>> R o p u
>>>>>>
>>>>>>
>>>>
>>>
Re: How to prevent abuse of the proxy
Posted by Emilio Daniel González <em...@gmail.com>.
So, if I were a bad guy, can I copy all Internet into the proxy?! =P
On Wed, Jul 16, 2008 at 6:07 PM, Kevin Brown <et...@google.com> wrote:
>
> On Wed, Jul 16, 2008 at 2:03 PM, Emilio Daniel González <em...@gmail.com>
> wrote:
>
> > btw, why all the files that pass through the proxy are named as "p.txt"?
> > it's a convention or what?
>
>
> the "p" is arbitrary (it stands for proxy). The .txt extension generally
> causes the file to be opened in a text editor rather than the web browser
> (either that or the user gets a download dialog). Most other extensions
> would be loaded in the browser (making the technique ineffective) or blocked
> by security software.
>
>
> >
> > On Wed, Jul 16, 2008 at 5:58 PM, Chris Chabot <ch...@xs4all.nl> wrote:
> >
> > > So how does it prevent the use of the proxy as a 'free Akamai' when
> > people
> > > can use it for their images/etc?
> > >
> > >
> > > On Jul 16, 2008, at 10:52 PM, Kevin Brown wrote:
> > >
> > > Yes, it works under that use case. Sending it as an attachment does not
> > >> interfere with legitimate use of the proxy as it does not impact img,
> > >> object, embed, script, or link elements or style sheet imports.
> > >>
> > >> On Wed, Jul 16, 2008 at 1:46 PM, Ropu <ro...@gmail.com> wrote:
> > >>
> > >> hi
> > >>>
> > >>> i have a question.
> > >>>
> > >>> will sending proxy results as attachment work with this example?
> > >>> *
> > >>> Let the container cache your dynamic content*
> > >>> http://code.google.com/apis/opensocial/articles/latency/#dynamic
> > >>>
> > >>> The gadgets.io.getProxyUrl function will return the location of the
> > >>> cached
> > >>> version of the URL you provide, including images, JavaScript, and CSS.
> > So
> > >>> instead of using the URL of content hosted on your server, like this:
> > >>>
> > >>> function showImage() {
> > >>> imgUrl = 'http://www.example.com/i_heart_apis_sm.png';
> > >>> html = ['<img src="', imgUrl, '">'];
> > >>> document.getElementById('dom_handle').innerHTML = html.join('');
> > >>> };
> > >>>
> > >>> showImage();
> > >>>
> > >>> you can use the URL of the cached content, like this:
> > >>>
> > >>> function showImage() {
> > >>> imgUrl = 'http://www.example.com/i_heart_apis_sm.png';
> > >>> *cachedUrl = gadgets.io.getProxyUrl(imgUrl);*
> > >>> html = ['<img src="', *cachedUrl*, '">'];
> > >>> document.getElementById('dom_handle').innerHTML = html.join('');
> > >>> };
> > >>>
> > >>>
> > >>> showImage();
> > >>>
> > >>>
> > >>>
> > >>> if so, its preventing "free akamai"or phishing?
> > >>>
> > >>> said this, or the example is wrong (and we are limiting functionality)
> > or
> > >>> the solution is partial (or im completely mixed up :P)
> > >>>
> > >>> ropu
> > >>>
> > >>> On Fri, Jul 11, 2008 at 2:45 PM, Kevin Brown <et...@google.com> wrote:
> > >>>
> > >>> On Fri, Jul 11, 2008 at 2:20 AM, Karsten Beyer <ma...@kbeyer.net>
> > wrote:
> > >>>>
> > >>>> Hi,
> > >>>>>
> > >>>>> what is the suggested strategy to prevent abuse of the open proxy at
> > >>>>> /gadgets/proxy? I found some old discussions from february about
> > adding
> > >>>>>
> > >>>> the
> > >>>>
> > >>>>> IP address of the user as HTTP header. Some testing however showed
> > that
> > >>>>>
> > >>>> this
> > >>>>
> > >>>>> is not yet implemented.
> > >>>>>
> > >>>>> Are there any plans to implement some kind of whitelist feature? More
> > >>>>> importantly: Are there any reasons against implementing such a
> > feature?
> > >>>>>
> > >>>>
> > >>>>
> > >>>> You could always add a whitelist for outbound requests, but you'd have
> > >>>> to
> > >>>> do
> > >>>> a custom http fetcher implementation.
> > >>>>
> > >>>> The java version is currently returning all proxied files as
> > >>>> attachments,
> > >>>> which has helped significantly with reducing the potential of
> > >>>> /gadgets/proxy
> > >>>> as a phishing vector or free Akamai.
> > >>>>
> > >>>>
> > >>>>
> > >>>>>
> > >>>>>
> > >>>>> Best Regards,
> > >>>>>
> > >>>>> Karsten Beyer
> > >>>>> mail@kbeyer.net
> > >>>>>
> > >>>>>
> > >>>>>
> > >>>>>
> > >>>>>
> > >>>>
> > >>>
> > >>>
> > >>> --
> > >>> .-. --- .--. ..-
> > >>> R o p u
> > >>>
> > >>>
> > >
> >
Re: How to prevent abuse of the proxy
Posted by Kevin Brown <et...@google.com>.
On Wed, Jul 16, 2008 at 2:03 PM, Emilio Daniel González <em...@gmail.com>
wrote:
> btw, why all the files that pass through the proxy are named as "p.txt"?
> it's a convention or what?
the "p" is arbitrary (it stands for proxy). The .txt extension generally
causes the file to be opened in a text editor rather than the web browser
(either that or the user gets a download dialog). Most other extensions
would be loaded in the browser (making the technique ineffective) or blocked
by security software.
>
> On Wed, Jul 16, 2008 at 5:58 PM, Chris Chabot <ch...@xs4all.nl> wrote:
>
> > So how does it prevent the use of the proxy as a 'free Akamai' when
> people
> > can use it for their images/etc?
> >
> >
> > On Jul 16, 2008, at 10:52 PM, Kevin Brown wrote:
> >
> > Yes, it works under that use case. Sending it as an attachment does not
> >> interfere with legitimate use of the proxy as it does not impact img,
> >> object, embed, script, or link elements or style sheet imports.
> >>
> >> On Wed, Jul 16, 2008 at 1:46 PM, Ropu <ro...@gmail.com> wrote:
> >>
> >> hi
> >>>
> >>> i have a question.
> >>>
> >>> will sending proxy results as attachment work with this example?
> >>> *
> >>> Let the container cache your dynamic content*
> >>> http://code.google.com/apis/opensocial/articles/latency/#dynamic
> >>>
> >>> The gadgets.io.getProxyUrl function will return the location of the
> >>> cached
> >>> version of the URL you provide, including images, JavaScript, and CSS.
> So
> >>> instead of using the URL of content hosted on your server, like this:
> >>>
> >>> function showImage() {
> >>> imgUrl = 'http://www.example.com/i_heart_apis_sm.png';
> >>> html = ['<img src="', imgUrl, '">'];
> >>> document.getElementById('dom_handle').innerHTML = html.join('');
> >>> };
> >>>
> >>> showImage();
> >>>
> >>> you can use the URL of the cached content, like this:
> >>>
> >>> function showImage() {
> >>> imgUrl = 'http://www.example.com/i_heart_apis_sm.png';
> >>> *cachedUrl = gadgets.io.getProxyUrl(imgUrl);*
> >>> html = ['<img src="', *cachedUrl*, '">'];
> >>> document.getElementById('dom_handle').innerHTML = html.join('');
> >>> };
> >>>
> >>>
> >>> showImage();
> >>>
> >>>
> >>>
> >>> if so, its preventing "free akamai"or phishing?
> >>>
> >>> said this, or the example is wrong (and we are limiting functionality)
> or
> >>> the solution is partial (or im completely mixed up :P)
> >>>
> >>> ropu
> >>>
> >>> On Fri, Jul 11, 2008 at 2:45 PM, Kevin Brown <et...@google.com> wrote:
> >>>
> >>> On Fri, Jul 11, 2008 at 2:20 AM, Karsten Beyer <ma...@kbeyer.net>
> wrote:
> >>>>
> >>>> Hi,
> >>>>>
> >>>>> what is the suggested strategy to prevent abuse of the open proxy at
> >>>>> /gadgets/proxy? I found some old discussions from february about
> adding
> >>>>>
> >>>> the
> >>>>
> >>>>> IP address of the user as HTTP header. Some testing however showed
> that
> >>>>>
> >>>> this
> >>>>
> >>>>> is not yet implemented.
> >>>>>
> >>>>> Are there any plans to implement some kind of whitelist feature? More
> >>>>> importantly: Are there any reasons against implementing such a
> feature?
> >>>>>
> >>>>
> >>>>
> >>>> You could always add a whitelist for outbound requests, but you'd have
> >>>> to
> >>>> do
> >>>> a custom http fetcher implementation.
> >>>>
> >>>> The java version is currently returning all proxied files as
> >>>> attachments,
> >>>> which has helped significantly with reducing the potential of
> >>>> /gadgets/proxy
> >>>> as a phishing vector or free Akamai.
> >>>>
> >>>>
> >>>>
> >>>>>
> >>>>>
> >>>>> Best Regards,
> >>>>>
> >>>>> Karsten Beyer
> >>>>> mail@kbeyer.net
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>
> >>>
> >>>
> >>> --
> >>> .-. --- .--. ..-
> >>> R o p u
> >>>
> >>>
> >
>
Re: How to prevent abuse of the proxy
Posted by Emilio Daniel González <em...@gmail.com>.
btw, why all the files that pass through the proxy are named as "p.txt"?
it's a convention or what?
On Wed, Jul 16, 2008 at 5:58 PM, Chris Chabot <ch...@xs4all.nl> wrote:
> So how does it prevent the use of the proxy as a 'free Akamai' when people
> can use it for their images/etc?
>
>
> On Jul 16, 2008, at 10:52 PM, Kevin Brown wrote:
>
> Yes, it works under that use case. Sending it as an attachment does not
>> interfere with legitimate use of the proxy as it does not impact img,
>> object, embed, script, or link elements or style sheet imports.
>>
>> On Wed, Jul 16, 2008 at 1:46 PM, Ropu <ro...@gmail.com> wrote:
>>
>> hi
>>>
>>> i have a question.
>>>
>>> will sending proxy results as attachment work with this example?
>>> *
>>> Let the container cache your dynamic content*
>>> http://code.google.com/apis/opensocial/articles/latency/#dynamic
>>>
>>> The gadgets.io.getProxyUrl function will return the location of the
>>> cached
>>> version of the URL you provide, including images, JavaScript, and CSS. So
>>> instead of using the URL of content hosted on your server, like this:
>>>
>>> function showImage() {
>>> imgUrl = 'http://www.example.com/i_heart_apis_sm.png';
>>> html = ['<img src="', imgUrl, '">'];
>>> document.getElementById('dom_handle').innerHTML = html.join('');
>>> };
>>>
>>> showImage();
>>>
>>> you can use the URL of the cached content, like this:
>>>
>>> function showImage() {
>>> imgUrl = 'http://www.example.com/i_heart_apis_sm.png';
>>> *cachedUrl = gadgets.io.getProxyUrl(imgUrl);*
>>> html = ['<img src="', *cachedUrl*, '">'];
>>> document.getElementById('dom_handle').innerHTML = html.join('');
>>> };
>>>
>>>
>>> showImage();
>>>
>>>
>>>
>>> if so, its preventing "free akamai"or phishing?
>>>
>>> said this, or the example is wrong (and we are limiting functionality) or
>>> the solution is partial (or im completely mixed up :P)
>>>
>>> ropu
>>>
>>> On Fri, Jul 11, 2008 at 2:45 PM, Kevin Brown <et...@google.com> wrote:
>>>
>>> On Fri, Jul 11, 2008 at 2:20 AM, Karsten Beyer <ma...@kbeyer.net> wrote:
>>>>
>>>> Hi,
>>>>>
>>>>> what is the suggested strategy to prevent abuse of the open proxy at
>>>>> /gadgets/proxy? I found some old discussions from february about adding
>>>>>
>>>> the
>>>>
>>>>> IP address of the user as HTTP header. Some testing however showed that
>>>>>
>>>> this
>>>>
>>>>> is not yet implemented.
>>>>>
>>>>> Are there any plans to implement some kind of whitelist feature? More
>>>>> importantly: Are there any reasons against implementing such a feature?
>>>>>
>>>>
>>>>
>>>> You could always add a whitelist for outbound requests, but you'd have
>>>> to
>>>> do
>>>> a custom http fetcher implementation.
>>>>
>>>> The java version is currently returning all proxied files as
>>>> attachments,
>>>> which has helped significantly with reducing the potential of
>>>> /gadgets/proxy
>>>> as a phishing vector or free Akamai.
>>>>
>>>>
>>>>
>>>>>
>>>>>
>>>>> Best Regards,
>>>>>
>>>>> Karsten Beyer
>>>>> mail@kbeyer.net
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>
>>>
>>>
>>> --
>>> .-. --- .--. ..-
>>> R o p u
>>>
>>>
>
Re: How to prevent abuse of the proxy
Posted by Chris Chabot <ch...@xs4all.nl>.
So how does it prevent the use of the proxy as a 'free Akamai' when
people can use it for their images/etc?
On Jul 16, 2008, at 10:52 PM, Kevin Brown wrote:
> Yes, it works under that use case. Sending it as an attachment does
> not
> interfere with legitimate use of the proxy as it does not impact img,
> object, embed, script, or link elements or style sheet imports.
>
> On Wed, Jul 16, 2008 at 1:46 PM, Ropu <ro...@gmail.com> wrote:
>
>> hi
>>
>> i have a question.
>>
>> will sending proxy results as attachment work with this example?
>> *
>> Let the container cache your dynamic content*
>> http://code.google.com/apis/opensocial/articles/latency/#dynamic
>>
>> The gadgets.io.getProxyUrl function will return the location of the
>> cached
>> version of the URL you provide, including images, JavaScript, and
>> CSS. So
>> instead of using the URL of content hosted on your server, like this:
>>
>> function showImage() {
>> imgUrl = 'http://www.example.com/i_heart_apis_sm.png';
>> html = ['<img src="', imgUrl, '">'];
>> document.getElementById('dom_handle').innerHTML = html.join('');
>> };
>>
>> showImage();
>>
>> you can use the URL of the cached content, like this:
>>
>> function showImage() {
>> imgUrl = 'http://www.example.com/i_heart_apis_sm.png';
>> *cachedUrl = gadgets.io.getProxyUrl(imgUrl);*
>> html = ['<img src="', *cachedUrl*, '">'];
>> document.getElementById('dom_handle').innerHTML = html.join('');
>> };
>>
>>
>> showImage();
>>
>>
>>
>> if so, its preventing "free akamai"or phishing?
>>
>> said this, or the example is wrong (and we are limiting
>> functionality) or
>> the solution is partial (or im completely mixed up :P)
>>
>> ropu
>>
>> On Fri, Jul 11, 2008 at 2:45 PM, Kevin Brown <et...@google.com> wrote:
>>
>>> On Fri, Jul 11, 2008 at 2:20 AM, Karsten Beyer <ma...@kbeyer.net>
>>> wrote:
>>>
>>>> Hi,
>>>>
>>>> what is the suggested strategy to prevent abuse of the open proxy
>>>> at
>>>> /gadgets/proxy? I found some old discussions from february about
>>>> adding
>>> the
>>>> IP address of the user as HTTP header. Some testing however
>>>> showed that
>>> this
>>>> is not yet implemented.
>>>>
>>>> Are there any plans to implement some kind of whitelist feature?
>>>> More
>>>> importantly: Are there any reasons against implementing such a
>>>> feature?
>>>
>>>
>>> You could always add a whitelist for outbound requests, but you'd
>>> have to
>>> do
>>> a custom http fetcher implementation.
>>>
>>> The java version is currently returning all proxied files as
>>> attachments,
>>> which has helped significantly with reducing the potential of
>>> /gadgets/proxy
>>> as a phishing vector or free Akamai.
>>>
>>>
>>>>
>>>>
>>>>
>>>> Best Regards,
>>>>
>>>> Karsten Beyer
>>>> mail@kbeyer.net
>>>>
>>>>
>>>>
>>>>
>>>
>>
>>
>>
>> --
>> .-. --- .--. ..-
>> R o p u
>>
Re: How to prevent abuse of the proxy
Posted by Kevin Brown <et...@google.com>.
Yes, it works under that use case. Sending it as an attachment does not
interfere with legitimate use of the proxy as it does not impact img,
object, embed, script, or link elements or style sheet imports.
On Wed, Jul 16, 2008 at 1:46 PM, Ropu <ro...@gmail.com> wrote:
> hi
>
> i have a question.
>
> will sending proxy results as attachment work with this example?
> *
> Let the container cache your dynamic content*
> http://code.google.com/apis/opensocial/articles/latency/#dynamic
>
> The gadgets.io.getProxyUrl function will return the location of the cached
> version of the URL you provide, including images, JavaScript, and CSS. So
> instead of using the URL of content hosted on your server, like this:
>
> function showImage() {
> imgUrl = 'http://www.example.com/i_heart_apis_sm.png';
> html = ['<img src="', imgUrl, '">'];
> document.getElementById('dom_handle').innerHTML = html.join('');
> };
>
> showImage();
>
> you can use the URL of the cached content, like this:
>
> function showImage() {
> imgUrl = 'http://www.example.com/i_heart_apis_sm.png';
> *cachedUrl = gadgets.io.getProxyUrl(imgUrl);*
> html = ['<img src="', *cachedUrl*, '">'];
> document.getElementById('dom_handle').innerHTML = html.join('');
> };
>
>
> showImage();
>
>
>
> if so, its preventing "free akamai"or phishing?
>
> said this, or the example is wrong (and we are limiting functionality) or
> the solution is partial (or im completely mixed up :P)
>
> ropu
>
> On Fri, Jul 11, 2008 at 2:45 PM, Kevin Brown <et...@google.com> wrote:
>
> > On Fri, Jul 11, 2008 at 2:20 AM, Karsten Beyer <ma...@kbeyer.net> wrote:
> >
> > > Hi,
> > >
> > > what is the suggested strategy to prevent abuse of the open proxy at
> > > /gadgets/proxy? I found some old discussions from february about adding
> > the
> > > IP address of the user as HTTP header. Some testing however showed that
> > this
> > > is not yet implemented.
> > >
> > > Are there any plans to implement some kind of whitelist feature? More
> > > importantly: Are there any reasons against implementing such a feature?
> >
> >
> > You could always add a whitelist for outbound requests, but you'd have to
> > do
> > a custom http fetcher implementation.
> >
> > The java version is currently returning all proxied files as attachments,
> > which has helped significantly with reducing the potential of
> > /gadgets/proxy
> > as a phishing vector or free Akamai.
> >
> >
> > >
> > >
> > >
> > > Best Regards,
> > >
> > > Karsten Beyer
> > > mail@kbeyer.net
> > >
> > >
> > >
> > >
> >
>
>
>
> --
> .-. --- .--. ..-
> R o p u
>
Re: How to prevent abuse of the proxy
Posted by Ropu <ro...@gmail.com>.
hi
i have a question.
will sending proxy results as attachment work with this example?
*
Let the container cache your dynamic content*
http://code.google.com/apis/opensocial/articles/latency/#dynamic
The gadgets.io.getProxyUrl function will return the location of the cached
version of the URL you provide, including images, JavaScript, and CSS. So
instead of using the URL of content hosted on your server, like this:
function showImage() {
imgUrl = 'http://www.example.com/i_heart_apis_sm.png';
html = ['<img src="', imgUrl, '">'];
document.getElementById('dom_handle').innerHTML = html.join('');
};
showImage();
you can use the URL of the cached content, like this:
function showImage() {
imgUrl = 'http://www.example.com/i_heart_apis_sm.png';
*cachedUrl = gadgets.io.getProxyUrl(imgUrl);*
html = ['<img src="', *cachedUrl*, '">'];
document.getElementById('dom_handle').innerHTML = html.join('');
};
showImage();
if so, its preventing "free akamai"or phishing?
said this, or the example is wrong (and we are limiting functionality) or
the solution is partial (or im completely mixed up :P)
ropu
On Fri, Jul 11, 2008 at 2:45 PM, Kevin Brown <et...@google.com> wrote:
> On Fri, Jul 11, 2008 at 2:20 AM, Karsten Beyer <ma...@kbeyer.net> wrote:
>
> > Hi,
> >
> > what is the suggested strategy to prevent abuse of the open proxy at
> > /gadgets/proxy? I found some old discussions from february about adding
> the
> > IP address of the user as HTTP header. Some testing however showed that
> this
> > is not yet implemented.
> >
> > Are there any plans to implement some kind of whitelist feature? More
> > importantly: Are there any reasons against implementing such a feature?
>
>
> You could always add a whitelist for outbound requests, but you'd have to
> do
> a custom http fetcher implementation.
>
> The java version is currently returning all proxied files as attachments,
> which has helped significantly with reducing the potential of
> /gadgets/proxy
> as a phishing vector or free Akamai.
>
>
> >
> >
> >
> > Best Regards,
> >
> > Karsten Beyer
> > mail@kbeyer.net
> >
> >
> >
> >
>
--
.-. --- .--. ..-
R o p u
Re: How to prevent abuse of the proxy
Posted by Kevin Brown <et...@google.com>.
On Fri, Jul 11, 2008 at 2:20 AM, Karsten Beyer <ma...@kbeyer.net> wrote:
> Hi,
>
> what is the suggested strategy to prevent abuse of the open proxy at
> /gadgets/proxy? I found some old discussions from february about adding the
> IP address of the user as HTTP header. Some testing however showed that this
> is not yet implemented.
>
> Are there any plans to implement some kind of whitelist feature? More
> importantly: Are there any reasons against implementing such a feature?
You could always add a whitelist for outbound requests, but you'd have to do
a custom http fetcher implementation.
The java version is currently returning all proxied files as attachments,
which has helped significantly with reducing the potential of /gadgets/proxy
as a phishing vector or free Akamai.
>
>
>
> Best Regards,
>
> Karsten Beyer
> mail@kbeyer.net
>
>
>
>