We just blacklist certain urls and certain referrers on gmodules.com. We haven't really had any issue with that scheme, and we're a pretty big target for exploits.
On Wed, Jul 16, 2008 at 2:45 PM, Chris Chabot <[EMAIL PROTECTED]> wrote: > Some might feel the same ... adding a security token to all the proxy > requests or checking referrers etc has been added as a possible solution to > reduce the risk a bit but so far hasn't gotten a lot of traction. > > > On Jul 16, 2008, at 11:39 PM, Emilio Daniel González wrote: > > That is abuse! I thing... >> >> On Wed, Jul 16, 2008 at 6:34 PM, Chris Chabot <[EMAIL PROTECTED]> wrote: >> >>> Well what you -could- do is create a site, and host all the 'images' >>> (lets >>> pretend this does not involve scantly dressed people) on the pages on img >>> src="http://shindig/proxy?url=http://myhost.com/some/image.gif"; /> ... >>> and >>> thus offloading most of the bandwidth used to the proxy instead of the >>> originating site. >>> >>> >>> >>> On Jul 16, 2008, at 11:27 PM, Emilio Daniel González wrote: >>> >>> So, if I were a bad guy, can I copy all Internet into the proxy?! =P >>>> >>>> On Wed, Jul 16, 2008 at 6:07 PM, Kevin Brown <[EMAIL PROTECTED]> wrote: >>>> >>>>> >>>>> On Wed, Jul 16, 2008 at 2:03 PM, Emilio Daniel González >>>>> <[EMAIL PROTECTED]> >>>>> wrote: >>>>> >>>>> btw, why all the files that pass through the proxy are named as >>>>>> "p.txt"? >>>>>> it's a convention or what? >>>>>> >>>>> >>>>> >>>>> the "p" is arbitrary (it stands for proxy). The .txt extension >>>>> generally >>>>> causes the file to be opened in a text editor rather than the web >>>>> browser >>>>> (either that or the user gets a download dialog). Most other extensions >>>>> would be loaded in the browser (making the technique ineffective) or >>>>> blocked >>>>> by security software. >>>>> >>>>> >>>>> >>>>>> On Wed, Jul 16, 2008 at 5:58 PM, Chris Chabot <[EMAIL PROTECTED]> >>>>>> wrote: >>>>>> >>>>>> So how does it prevent the use of the proxy as a 'free Akamai' when >>>>>>> >>>>>> >>>>>> people >>>>>> >>>>>>> >>>>>>> can use it for their images/etc? >>>>>>> >>>>>>> >>>>>>> On Jul 16, 2008, at 10:52 PM, Kevin Brown wrote: >>>>>>> >>>>>>> Yes, it works under that use case. Sending it as an attachment does >>>>>>> not >>>>>>> >>>>>>>> >>>>>>>> interfere with legitimate use of the proxy as it does not impact >>>>>>>> img, >>>>>>>> object, embed, script, or link elements or style sheet imports. >>>>>>>> >>>>>>>> On Wed, Jul 16, 2008 at 1:46 PM, Ropu <[EMAIL PROTECTED]> wrote: >>>>>>>> >>>>>>>> hi >>>>>>>> >>>>>>>>> >>>>>>>>> i have a question. >>>>>>>>> >>>>>>>>> will sending proxy results as attachment work with this example? >>>>>>>>> * >>>>>>>>> Let the container cache your dynamic content* >>>>>>>>> http://code.google.com/apis/opensocial/articles/latency/#dynamic >>>>>>>>> >>>>>>>>> The gadgets.io.getProxyUrl function will return the location of the >>>>>>>>> cached >>>>>>>>> version of the URL you provide, including images, JavaScript, and >>>>>>>>> CSS. >>>>>>>>> >>>>>>>> >>>>>> So >>>>>> >>>>>>> >>>>>>>>> instead of using the URL of content hosted on your server, like >>>>>>>>> this: >>>>>>>>> >>>>>>>>> function showImage() { >>>>>>>>> imgUrl = 'http://www.example.com/i_heart_apis_sm.png'; >>>>>>>>> html = ['<img src="', imgUrl, '">']; >>>>>>>>> document.getElementById('dom_handle').innerHTML = html.join(''); >>>>>>>>> }; >>>>>>>>> >>>>>>>>> showImage(); >>>>>>>>> >>>>>>>>> you can use the URL of the cached content, like this: >>>>>>>>> >>>>>>>>> function showImage() { >>>>>>>>> imgUrl = 'http://www.example.com/i_heart_apis_sm.png'; >>>>>>>>> *cachedUrl = gadgets.io.getProxyUrl(imgUrl);* >>>>>>>>> html = ['<img src="', *cachedUrl*, '">']; >>>>>>>>> document.getElementById('dom_handle').innerHTML = html.join(''); >>>>>>>>> }; >>>>>>>>> >>>>>>>>> >>>>>>>>> showImage(); >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> if so, its preventing "free akamai"or phishing? >>>>>>>>> >>>>>>>>> said this, or the example is wrong (and we are limiting >>>>>>>>> functionality) >>>>>>>>> >>>>>>>> >>>>>> or >>>>>> >>>>>>> >>>>>>>>> the solution is partial (or im completely mixed up :P) >>>>>>>>> >>>>>>>>> ropu >>>>>>>>> >>>>>>>>> On Fri, Jul 11, 2008 at 2:45 PM, Kevin Brown <[EMAIL PROTECTED]> >>>>>>>>> wrote: >>>>>>>>> >>>>>>>>> On Fri, Jul 11, 2008 at 2:20 AM, Karsten Beyer <[EMAIL PROTECTED]> >>>>>>>>> >>>>>>>> >>>>>> wrote: >>>>>> >>>>>>> >>>>>>>>>> Hi, >>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> what is the suggested strategy to prevent abuse of the open proxy >>>>>>>>>>> at >>>>>>>>>>> /gadgets/proxy? I found some old discussions from february about >>>>>>>>>>> >>>>>>>>>> >>>>>> adding >>>>>> >>>>>>> >>>>>>>>>>> the >>>>>>>>>> >>>>>>>>>> IP address of the user as HTTP header. Some testing however >>>>>>>>>>> showed >>>>>>>>>>> >>>>>>>>>> >>>>>> that >>>>>> >>>>>>> >>>>>>>>>>> this >>>>>>>>>> >>>>>>>>>> is not yet implemented. >>>>>>>>>>> >>>>>>>>>>> Are there any plans to implement some kind of whitelist feature? >>>>>>>>>>> More >>>>>>>>>>> importantly: Are there any reasons against implementing such a >>>>>>>>>>> >>>>>>>>>> >>>>>> feature? >>>>>> >>>>>>> >>>>>>>>>>> >>>>>>>>>> >>>>>>>>>> You could always add a whitelist for outbound requests, but you'd >>>>>>>>>> have >>>>>>>>>> to >>>>>>>>>> do >>>>>>>>>> a custom http fetcher implementation. >>>>>>>>>> >>>>>>>>>> The java version is currently returning all proxied files as >>>>>>>>>> attachments, >>>>>>>>>> which has helped significantly with reducing the potential of >>>>>>>>>> /gadgets/proxy >>>>>>>>>> as a phishing vector or free Akamai. >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> Best Regards, >>>>>>>>>>> >>>>>>>>>>> Karsten Beyer >>>>>>>>>>> [EMAIL PROTECTED] >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> >>>>>>>>> >>>>>>>>> -- >>>>>>>>> .-. --- .--. ..- >>>>>>>>> R o p u >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>> >>>>>> >>> >>> >
![http://shindig/proxy?url=http://myhost.com/some/image.gif"](http://shindig/proxy?url=http://myhost.com/some/image.gif"){kind=link}
