On Wed, Dec 14, 2011 at 5:49 AM, BoulderGae <[email protected]> wrote: > I just had this discussion with well connected people at Google. That > is the guarantee that they gave us (a very large visible GAE > implementation) and we (and they) are banking on it. I have suggested > a change to their documentation to explicitly state such a guarantee. > Test it for yourself. One exception to that seems to be that you can > manually add that header to requests that originate from a task > queue. But that is under our control, so we don't see it as a > significant security problem.
Okay - if the container can guarantee that no outside request can set the header - that would be perfect.. I'll examine that a bit - and it would be great if that guarantee would be quoted in the docs. Thanks a lot for that information! Best, Raphael > > scott > > On Dec 13, 1:08 am, Raphael André Bauer > <[email protected]> wrote: >> On Tue, Dec 13, 2011 at 8:56 AM, andrew <[email protected]> >> wrote: >> > Well, if Google guarantee to us that that header can never be set in >> > any other external request to your app - it is a rudimentary form of >> > security.... >> >> is that guaranteed somewhere? >> >> Thanks, >> >> Raphael >> >> >> >> > -- >> > You received this message because you are subscribed to the Google Groups >> > "Google App Engine for Java" group. >> > To post to this group, send email to >> > [email protected]. >> > To unsubscribe from this group, send email to >> > [email protected]. >> > For more options, visit this group >> > athttp://groups.google.com/group/google-appengine-java?hl=en. >> >> -- >> inc:http://ars-machina.raphaelbauer.com >> tech:http://ars-codia.raphaelbauer.com >> web:http://raphaelbauer.com > > -- > You received this message because you are subscribed to the Google Groups > "Google App Engine for Java" group. > To post to this group, send email to [email protected]. > To unsubscribe from this group, send email to > [email protected]. > For more options, visit this group at > http://groups.google.com/group/google-appengine-java?hl=en. > -- inc: http://ars-machina.raphaelbauer.com tech: http://ars-codia.raphaelbauer.com web: http://raphaelbauer.com -- You received this message because you are subscribed to the Google Groups "Google App Engine for Java" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/google-appengine-java?hl=en.
