I just had this discussion with well connected people at Google. That is the guarantee that they gave us (a very large visible GAE implementation) and we (and they) are banking on it. I have suggested a change to their documentation to explicitly state such a guarantee. Test it for yourself. One exception to that seems to be that you can manually add that header to requests that originate from a task queue. But that is under our control, so we don't see it as a significant security problem.
scott On Dec 13, 1:08 am, Raphael André Bauer <raphael.andre.ba...@gmail.com> wrote: > On Tue, Dec 13, 2011 at 8:56 AM, andrew <andrew.macken...@bcntouch.com> wrote: > > Well, if Google guarantee to us that that header can never be set in > > any other external request to your app - it is a rudimentary form of > > security.... > > is that guaranteed somewhere? > > Thanks, > > Raphael > > > > > -- > > You received this message because you are subscribed to the Google Groups > > "Google App Engine for Java" group. > > To post to this group, send email to google-appengine-java@googlegroups.com. > > To unsubscribe from this group, send email to > > google-appengine-java+unsubscr...@googlegroups.com. > > For more options, visit this group > > athttp://groups.google.com/group/google-appengine-java?hl=en. > > -- > inc:http://ars-machina.raphaelbauer.com > tech:http://ars-codia.raphaelbauer.com > web:http://raphaelbauer.com -- You received this message because you are subscribed to the Google Groups "Google App Engine for Java" group. To post to this group, send email to google-appengine-java@googlegroups.com. To unsubscribe from this group, send email to google-appengine-java+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/google-appengine-java?hl=en.