So, if I were a bad guy, can I copy all Internet into the proxy?! =P
On Wed, Jul 16, 2008 at 6:07 PM, Kevin Brown <[EMAIL PROTECTED]> wrote: > > On Wed, Jul 16, 2008 at 2:03 PM, Emilio Daniel González <[EMAIL PROTECTED]> > wrote: > > > btw, why all the files that pass through the proxy are named as "p.txt"? > > it's a convention or what? > > > the "p" is arbitrary (it stands for proxy). The .txt extension generally > causes the file to be opened in a text editor rather than the web browser > (either that or the user gets a download dialog). Most other extensions > would be loaded in the browser (making the technique ineffective) or blocked > by security software. > > > > > > On Wed, Jul 16, 2008 at 5:58 PM, Chris Chabot <[EMAIL PROTECTED]> wrote: > > > > > So how does it prevent the use of the proxy as a 'free Akamai' when > > people > > > can use it for their images/etc? > > > > > > > > > On Jul 16, 2008, at 10:52 PM, Kevin Brown wrote: > > > > > > Yes, it works under that use case. Sending it as an attachment does not > > >> interfere with legitimate use of the proxy as it does not impact img, > > >> object, embed, script, or link elements or style sheet imports. > > >> > > >> On Wed, Jul 16, 2008 at 1:46 PM, Ropu <[EMAIL PROTECTED]> wrote: > > >> > > >> hi > > >>> > > >>> i have a question. > > >>> > > >>> will sending proxy results as attachment work with this example? > > >>> * > > >>> Let the container cache your dynamic content* > > >>> http://code.google.com/apis/opensocial/articles/latency/#dynamic > > >>> > > >>> The gadgets.io.getProxyUrl function will return the location of the > > >>> cached > > >>> version of the URL you provide, including images, JavaScript, and CSS. > > So > > >>> instead of using the URL of content hosted on your server, like this: > > >>> > > >>> function showImage() { > > >>> imgUrl = 'http://www.example.com/i_heart_apis_sm.png'; > > >>> html = ['<img src="', imgUrl, '">']; > > >>> document.getElementById('dom_handle').innerHTML = html.join(''); > > >>> }; > > >>> > > >>> showImage(); > > >>> > > >>> you can use the URL of the cached content, like this: > > >>> > > >>> function showImage() { > > >>> imgUrl = 'http://www.example.com/i_heart_apis_sm.png'; > > >>> *cachedUrl = gadgets.io.getProxyUrl(imgUrl);* > > >>> html = ['<img src="', *cachedUrl*, '">']; > > >>> document.getElementById('dom_handle').innerHTML = html.join(''); > > >>> }; > > >>> > > >>> > > >>> showImage(); > > >>> > > >>> > > >>> > > >>> if so, its preventing "free akamai"or phishing? > > >>> > > >>> said this, or the example is wrong (and we are limiting functionality) > > or > > >>> the solution is partial (or im completely mixed up :P) > > >>> > > >>> ropu > > >>> > > >>> On Fri, Jul 11, 2008 at 2:45 PM, Kevin Brown <[EMAIL PROTECTED]> wrote: > > >>> > > >>> On Fri, Jul 11, 2008 at 2:20 AM, Karsten Beyer <[EMAIL PROTECTED]> > > wrote: > > >>>> > > >>>> Hi, > > >>>>> > > >>>>> what is the suggested strategy to prevent abuse of the open proxy at > > >>>>> /gadgets/proxy? I found some old discussions from february about > > adding > > >>>>> > > >>>> the > > >>>> > > >>>>> IP address of the user as HTTP header. Some testing however showed > > that > > >>>>> > > >>>> this > > >>>> > > >>>>> is not yet implemented. > > >>>>> > > >>>>> Are there any plans to implement some kind of whitelist feature? More > > >>>>> importantly: Are there any reasons against implementing such a > > feature? > > >>>>> > > >>>> > > >>>> > > >>>> You could always add a whitelist for outbound requests, but you'd have > > >>>> to > > >>>> do > > >>>> a custom http fetcher implementation. > > >>>> > > >>>> The java version is currently returning all proxied files as > > >>>> attachments, > > >>>> which has helped significantly with reducing the potential of > > >>>> /gadgets/proxy > > >>>> as a phishing vector or free Akamai. > > >>>> > > >>>> > > >>>> > > >>>>> > > >>>>> > > >>>>> Best Regards, > > >>>>> > > >>>>> Karsten Beyer > > >>>>> [EMAIL PROTECTED] > > >>>>> > > >>>>> > > >>>>> > > >>>>> > > >>>>> > > >>>> > > >>> > > >>> > > >>> -- > > >>> .-. --- .--. ..- > > >>> R o p u > > >>> > > >>> > > > > >
