You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@shindig.apache.org by Brian Eaton <be...@google.com> on 2008/01/29 21:03:57 UTC
gadget token location
Hey folks -
When initializing a gadget it seems like the best place to put the
gadget token is in the URL fragment, i.e.
http://somegadget.com/foo.xml#t=token. What about when the token is
returned to the gadget server for authenticated requests? The
ProxyHandler code currently looks for the gadget token in the 't'
request parameter, but I'd like to move it to an HTTP header. URL
parameters tend to leak via the referer header, so moving the gadget
token out of the URL would be security win.
Cheers,
Brian
Re: gadget token location
Posted by Brian Eaton <be...@google.com>.
On Jan 29, 2008 12:22 PM, Kevin Brown <et...@google.com> wrote:
> gadgets.io needs to start passing this. I also want to rename this "st"
> (security token) to be slightly less vague.
Sounds good to me, I'll change my code to use "st" instead of "t".
Cheers,
Brian
Re: gadget token location
Posted by Kevin Brown <et...@google.com>.
On Jan 29, 2008 12:03 PM, Brian Eaton <be...@google.com> wrote:
> Hey folks -
>
> When initializing a gadget it seems like the best place to put the
> gadget token is in the URL fragment, i.e.
> http://somegadget.com/foo.xml#t=token. What about when the token is
> returned to the gadget server for authenticated requests? The
gadgets.io needs to start passing this. I also want to rename this "st"
(security token) to be slightly less vague.
> ProxyHandler code currently looks for the gadget token in the 't'
> request parameter, but I'd like to move it to an HTTP header. URL
> parameters tend to leak via the referer header, so moving the gadget
> token out of the URL would be security win.
+1 on using a header rather than a url parameter.
Re: gadget token location
Posted by Bruno Bowden <br...@google.com>.
Public list, public urls:
http://brunobowden.dreamhosters.com/gadgets/tmp/referrer-source.html#t=token
http://brunobowden.dreamhosters.com/gadgets/tmp/referrer-source.html?t=token
On Jan 29, 2008 12:43 PM, Bruno Bowden <br...@google.com> wrote:
> The contents after the hash is not included in the referrer.
>
>
> http://www.corp.google.com/~bruno/gadgets/tmp/referrer-source.html#t=token<http://www.corp.google.com/%7Ebruno/gadgets/tmp/referrer-source.html#t=token>
>
> Compare this to passing it after a "?", in which case the referrer does
> leak the token in the url:
>
>
> http://www.corp.google.com/~bruno/gadgets/tmp/referrer-source.html?t=token
> <http://www.corp.google.com/%7Ebruno/gadgets/tmp/referrer-source.html?t=token>
> We use this behaviour in Gadget Ads and iGoogle to hide similar sensitive
> data.
>
> Passing it in the header is still more secure though.
>
>
>
>
>
> On Jan 29, 2008 12:13 PM, Paul Lindner <pl...@hi5.com> wrote:
>
> > On Tue, Jan 29, 2008 at 12:03:57PM -0800, Brian Eaton wrote:
> > > Hey folks -
> > >
> > > When initializing a gadget it seems like the best place to put the
> > > gadget token is in the URL fragment, i.e.
> > > http://somegadget.com/foo.xml#t=token. What about when the token is
> > > returned to the gadget server for authenticated requests? The
> > > ProxyHandler code currently looks for the gadget token in the 't'
> > > request parameter, but I'd like to move it to an HTTP header. URL
> > > parameters tend to leak via the referer header, so moving the gadget
> > > token out of the URL would be security win.
> >
> > My gadgets.js has this.
> >
> >
> > @@ -499,7 +500,7 @@
> > return this.serverBase_ + 'ifr?url=' +
> > encodeURIComponent(this.specUrl) + '&synd=' + this.SYND +
> > '&mid=' +
> > this.id + '&parent=' + encodeURIComponent(
> > gadgets.container.parentUrl_) +
> > - '&ogc=' + document.location.host + this.getUserPrefsParams();
> > + '&ogc=' + document.location.host + this.getUserPrefsParams() +
> > '#' + this.hashState;
> > };
> >
> > gadgets.IfrGadget.prototype.getUserPrefsParams = function() {
> >
> >
> > When you add a gadget you specify:
> >
> > var gadget = gadgets.container.createGadget({specUrl: specUrl0,
> > hashState: 'xxxxxxx'});
> >
> > I'll try and bundle up my changes for general consumption..
> >
> >
> > --
> > Paul Lindner
> > hi5 Architect
> > plindner@hi5.com
> >
>
>
Re: gadget token location
Posted by Kevin Brown <et...@google.com>.
Brian is referring to passing it to the end points (such as the proxy
handler). Passing it on the hash to the iframe is the only way to get it
into the iframe at all.
On Jan 29, 2008 12:43 PM, Bruno Bowden <br...@google.com> wrote:
> The contents after the hash is not included in the referrer.
>
>
> http://www.corp.google.com/~bruno/gadgets/tmp/referrer-source.html#t=token<http://www.corp.google.com/%7Ebruno/gadgets/tmp/referrer-source.html#t=token>
> <
> http://www.corp.google.com/%7Ebruno/gadgets/tmp/referrer-source.html#t=token
> >
>
> Compare this to passing it after a "?", in which case the referrer does
> leak
> the token in the url:
>
>
> http://www.corp.google.com/~bruno/gadgets/tmp/referrer-source.html?t=token<http://www.corp.google.com/%7Ebruno/gadgets/tmp/referrer-source.html?t=token>
> <
> http://www.corp.google.com/%7Ebruno/gadgets/tmp/referrer-source.html?t=token
> >
> We use this behaviour in Gadget Ads and iGoogle to hide similar sensitive
> data.
>
> Passing it in the header is still more secure though.
>
>
>
>
> On Jan 29, 2008 12:13 PM, Paul Lindner <pl...@hi5.com> wrote:
>
> > On Tue, Jan 29, 2008 at 12:03:57PM -0800, Brian Eaton wrote:
> > > Hey folks -
> > >
> > > When initializing a gadget it seems like the best place to put the
> > > gadget token is in the URL fragment, i.e.
> > > http://somegadget.com/foo.xml#t=token. What about when the token is
> > > returned to the gadget server for authenticated requests? The
> > > ProxyHandler code currently looks for the gadget token in the 't'
> > > request parameter, but I'd like to move it to an HTTP header. URL
> > > parameters tend to leak via the referer header, so moving the gadget
> > > token out of the URL would be security win.
> >
> > My gadgets.js has this.
> >
> >
> > @@ -499,7 +500,7 @@
> > return this.serverBase_ + 'ifr?url=' +
> > encodeURIComponent(this.specUrl) + '&synd=' + this.SYND +
> > '&mid=' +
> > this.id + '&parent=' + encodeURIComponent(
> > gadgets.container.parentUrl_) +
> > - '&ogc=' + document.location.host + this.getUserPrefsParams();
> > + '&ogc=' + document.location.host + this.getUserPrefsParams() +
> '#'
> > + this.hashState;
> > };
> >
> > gadgets.IfrGadget.prototype.getUserPrefsParams = function() {
> >
> >
> > When you add a gadget you specify:
> >
> > var gadget = gadgets.container.createGadget({specUrl: specUrl0,
> > hashState: 'xxxxxxx'});
> >
> > I'll try and bundle up my changes for general consumption..
> >
> >
> > --
> > Paul Lindner
> > hi5 Architect
> > plindner@hi5.com
> >
>
Re: gadget token location
Posted by Bruno Bowden <br...@google.com>.
The contents after the hash is not included in the referrer.
http://www.corp.google.com/~bruno/gadgets/tmp/referrer-source.html#t=token<http://www.corp.google.com/%7Ebruno/gadgets/tmp/referrer-source.html#t=token>
Compare this to passing it after a "?", in which case the referrer does leak
the token in the url:
http://www.corp.google.com/~bruno/gadgets/tmp/referrer-source.html?t=token
<http://www.corp.google.com/%7Ebruno/gadgets/tmp/referrer-source.html?t=token>
We use this behaviour in Gadget Ads and iGoogle to hide similar sensitive
data.
Passing it in the header is still more secure though.
On Jan 29, 2008 12:13 PM, Paul Lindner <pl...@hi5.com> wrote:
> On Tue, Jan 29, 2008 at 12:03:57PM -0800, Brian Eaton wrote:
> > Hey folks -
> >
> > When initializing a gadget it seems like the best place to put the
> > gadget token is in the URL fragment, i.e.
> > http://somegadget.com/foo.xml#t=token. What about when the token is
> > returned to the gadget server for authenticated requests? The
> > ProxyHandler code currently looks for the gadget token in the 't'
> > request parameter, but I'd like to move it to an HTTP header. URL
> > parameters tend to leak via the referer header, so moving the gadget
> > token out of the URL would be security win.
>
> My gadgets.js has this.
>
>
> @@ -499,7 +500,7 @@
> return this.serverBase_ + 'ifr?url=' +
> encodeURIComponent(this.specUrl) + '&synd=' + this.SYND +
> '&mid=' +
> this.id + '&parent=' + encodeURIComponent(
> gadgets.container.parentUrl_) +
> - '&ogc=' + document.location.host + this.getUserPrefsParams();
> + '&ogc=' + document.location.host + this.getUserPrefsParams() + '#'
> + this.hashState;
> };
>
> gadgets.IfrGadget.prototype.getUserPrefsParams = function() {
>
>
> When you add a gadget you specify:
>
> var gadget = gadgets.container.createGadget({specUrl: specUrl0,
> hashState: 'xxxxxxx'});
>
> I'll try and bundle up my changes for general consumption..
>
>
> --
> Paul Lindner
> hi5 Architect
> plindner@hi5.com
>
Re: gadget token location
Posted by Paul Lindner <pl...@hi5.com>.
On Tue, Jan 29, 2008 at 12:03:57PM -0800, Brian Eaton wrote:
> Hey folks -
>
> When initializing a gadget it seems like the best place to put the
> gadget token is in the URL fragment, i.e.
> http://somegadget.com/foo.xml#t=token. What about when the token is
> returned to the gadget server for authenticated requests? The
> ProxyHandler code currently looks for the gadget token in the 't'
> request parameter, but I'd like to move it to an HTTP header. URL
> parameters tend to leak via the referer header, so moving the gadget
> token out of the URL would be security win.
My gadgets.js has this.
@@ -499,7 +500,7 @@
return this.serverBase_ + 'ifr?url=' +
encodeURIComponent(this.specUrl) + '&synd=' + this.SYND +
'&mid=' +
this.id + '&parent=' + encodeURIComponent(gadgets.container.parentUrl_) +
- '&ogc=' + document.location.host + this.getUserPrefsParams();
+ '&ogc=' + document.location.host + this.getUserPrefsParams() + '#' + this.hashState;
};
gadgets.IfrGadget.prototype.getUserPrefsParams = function() {
When you add a gadget you specify:
var gadget = gadgets.container.createGadget({specUrl: specUrl0,
hashState: 'xxxxxxx'});
I'll try and bundle up my changes for general consumption..
--
Paul Lindner
hi5 Architect
plindner@hi5.com