[jira] Commented: (SHINDIG-133) forwarding browser headers on remote content requests

Mon, 19 May 2008 12:08:17 -0700 

    [ 
https://issues.apache.org/jira/browse/SHINDIG-133?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12598048#action_12598048
 ] 

Paul Lindner commented on SHINDIG-133:
--------------------------------------

At hi5 we just stopped sending any client headers to the backend.  This works 
just fine and has resolved all of our dodgy fetch problems.

Come to think of it there are hardly any cases where the headers need to be 
sent from the client to backend host, since you can specify the ones you want 
in the makeRequest() call. 

Maybe this is needed for the direct proxy?  Maybe if we streamed contect direct 
from the origin server that would make sense, but we don't.   Instead we gather 
the results of the fetch, and send them on their way.


> forwarding browser headers on remote content requests
> -----------------------------------------------------
>
>                 Key: SHINDIG-133
>                 URL: https://issues.apache.org/jira/browse/SHINDIG-133
>             Project: Shindig
>          Issue Type: Bug
>          Components: Gadget Rendering Server (Java)
>            Reporter: Brian Eaton
>
> There is some fairly dodgy code in ProxyHandler.java.  If a GET request shows 
> up at the server, nearly all of the headers sent from the browser are 
> forwarded to the backend.  This should be replaced with a white list of 
> headers that are OK to copy out of the request.
> As an example of various things that are likely to go wrong with the current 
> code:
> - cookies will be forwarded (and yes, I know gadgets shouldn't have cookies, 
> but if they do we shouldn't leak them this way.)
> - some hop by hop headers will be forwarded
> There are probably other issues.
> Problem code is here:
>       if ("POST".equals(method)) {
>          ....
>       } else {
>         postBody = null;
>         headers = new HashMap<String, List<String>>();
>         Enumeration<String> headerNames = request.getHeaderNames();
>         while (headerNames.hasMoreElements()) {
>           String header = headerNames.nextElement();
>           headers.put(header, Collections.list(request.getHeaders(header)));
>         }
>       }
>       removeUnsafeHeaders(headers);

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

Reply via email to