On Thu, Jul 17, 2008 at 1:24 AM, Chris Chabot <[EMAIL PROTECTED]> wrote:
> See i think the main difference is that people who have much smaller > containers, limited bandwidth and limited cash might be more worried about a > bandwidth hit then say, a google would be :) Indeed, and those smaller containers probably don't have as many gadgets to deal with, and as such a whitelisting approach may work out just fine. Whiteisting the urls for a few hundred gadgets isn't too bad, it's when you have to deal with them for several thousand that it becomes problematic. > > On Jul 17, 2008, at 2:55 AM, Kevin Brown wrote: > > We just blacklist certain urls and certain referrers on gmodules.com. We >> haven't really had any issue with that scheme, and we're a pretty big >> target >> for exploits. >> >> On Wed, Jul 16, 2008 at 2:45 PM, Chris Chabot <[EMAIL PROTECTED]> wrote: >> >> Some might feel the same ... adding a security token to all the proxy >>> requests or checking referrers etc has been added as a possible solution >>> to >>> reduce the risk a bit but so far hasn't gotten a lot of traction. >>> >>> >>> On Jul 16, 2008, at 11:39 PM, Emilio Daniel González wrote: >>> >>> That is abuse! I thing... >>> >>>> >>>> On Wed, Jul 16, 2008 at 6:34 PM, Chris Chabot <[EMAIL PROTECTED]> >>>> wrote: >>>> >>>> Well what you -could- do is create a site, and host all the 'images' >>>>> (lets >>>>> pretend this does not involve scantly dressed people) on the pages on >>>>> img >>>>> src="http://shindig/proxy?url=http://myhost.com/some/image.gif"; /> ... >>>>> and >>>>> thus offloading most of the bandwidth used to the proxy instead of the >>>>> originating site. >>>>> >>>>> >>>>> >>>>> On Jul 16, 2008, at 11:27 PM, Emilio Daniel González wrote: >>>>> >>>>> So, if I were a bad guy, can I copy all Internet into the proxy?! =P >>>>> >>>>>> >>>>>> On Wed, Jul 16, 2008 at 6:07 PM, Kevin Brown <[EMAIL PROTECTED]> wrote: >>>>>> >>>>>> >>>>>>> On Wed, Jul 16, 2008 at 2:03 PM, Emilio Daniel González >>>>>>> <[EMAIL PROTECTED]> >>>>>>> wrote: >>>>>>> >>>>>>> btw, why all the files that pass through the proxy are named as >>>>>>> >>>>>>>> "p.txt"? >>>>>>>> it's a convention or what? >>>>>>>> >>>>>>>> >>>>>>> >>>>>>> the "p" is arbitrary (it stands for proxy). The .txt extension >>>>>>> generally >>>>>>> causes the file to be opened in a text editor rather than the web >>>>>>> browser >>>>>>> (either that or the user gets a download dialog). Most other >>>>>>> extensions >>>>>>> would be loaded in the browser (making the technique ineffective) or >>>>>>> blocked >>>>>>> by security software. >>>>>>> >>>>>>> >>>>>>> >>>>>>> On Wed, Jul 16, 2008 at 5:58 PM, Chris Chabot <[EMAIL PROTECTED]> >>>>>>>> wrote: >>>>>>>> >>>>>>>> So how does it prevent the use of the proxy as a 'free Akamai' when >>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>> people >>>>>>>> >>>>>>>> >>>>>>>>> can use it for their images/etc? >>>>>>>>> >>>>>>>>> >>>>>>>>> On Jul 16, 2008, at 10:52 PM, Kevin Brown wrote: >>>>>>>>> >>>>>>>>> Yes, it works under that use case. Sending it as an attachment does >>>>>>>>> not >>>>>>>>> >>>>>>>>> >>>>>>>>>> interfere with legitimate use of the proxy as it does not impact >>>>>>>>>> img, >>>>>>>>>> object, embed, script, or link elements or style sheet imports. >>>>>>>>>> >>>>>>>>>> On Wed, Jul 16, 2008 at 1:46 PM, Ropu <[EMAIL PROTECTED]> >>>>>>>>>> wrote: >>>>>>>>>> >>>>>>>>>> hi >>>>>>>>>> >>>>>>>>>> >>>>>>>>>>> i have a question. >>>>>>>>>>> >>>>>>>>>>> will sending proxy results as attachment work with this example? >>>>>>>>>>> * >>>>>>>>>>> Let the container cache your dynamic content* >>>>>>>>>>> http://code.google.com/apis/opensocial/articles/latency/#dynamic >>>>>>>>>>> >>>>>>>>>>> The gadgets.io.getProxyUrl function will return the location of >>>>>>>>>>> the >>>>>>>>>>> cached >>>>>>>>>>> version of the URL you provide, including images, JavaScript, and >>>>>>>>>>> CSS. >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> So >>>>>>>> >>>>>>>> >>>>>>>>> instead of using the URL of content hosted on your server, like >>>>>>>>>>> this: >>>>>>>>>>> >>>>>>>>>>> function showImage() { >>>>>>>>>>> imgUrl = 'http://www.example.com/i_heart_apis_sm.png'; >>>>>>>>>>> html = ['<img src="', imgUrl, '">']; >>>>>>>>>>> document.getElementById('dom_handle').innerHTML = html.join(''); >>>>>>>>>>> }; >>>>>>>>>>> >>>>>>>>>>> showImage(); >>>>>>>>>>> >>>>>>>>>>> you can use the URL of the cached content, like this: >>>>>>>>>>> >>>>>>>>>>> function showImage() { >>>>>>>>>>> imgUrl = 'http://www.example.com/i_heart_apis_sm.png'; >>>>>>>>>>> *cachedUrl = gadgets.io.getProxyUrl(imgUrl);* >>>>>>>>>>> html = ['<img src="', *cachedUrl*, '">']; >>>>>>>>>>> document.getElementById('dom_handle').innerHTML = html.join(''); >>>>>>>>>>> }; >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> showImage(); >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> if so, its preventing "free akamai"or phishing? >>>>>>>>>>> >>>>>>>>>>> said this, or the example is wrong (and we are limiting >>>>>>>>>>> functionality) >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> or >>>>>>>> >>>>>>>> >>>>>>>>> the solution is partial (or im completely mixed up :P) >>>>>>>>>>> >>>>>>>>>>> ropu >>>>>>>>>>> >>>>>>>>>>> On Fri, Jul 11, 2008 at 2:45 PM, Kevin Brown <[EMAIL PROTECTED]> >>>>>>>>>>> wrote: >>>>>>>>>>> >>>>>>>>>>> On Fri, Jul 11, 2008 at 2:20 AM, Karsten Beyer <[EMAIL PROTECTED]> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> wrote: >>>>>>>> >>>>>>>> >>>>>>>>> Hi, >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>>> what is the suggested strategy to prevent abuse of the open >>>>>>>>>>>>> proxy >>>>>>>>>>>>> at >>>>>>>>>>>>> /gadgets/proxy? I found some old discussions from february >>>>>>>>>>>>> about >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>> adding >>>>>>>> >>>>>>>> >>>>>>>>> the >>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> IP address of the user as HTTP header. Some testing however >>>>>>>>>>>> >>>>>>>>>>>>> showed >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>> that >>>>>>>> >>>>>>>> >>>>>>>>> this >>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> is not yet implemented. >>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> Are there any plans to implement some kind of whitelist >>>>>>>>>>>>> feature? >>>>>>>>>>>>> More >>>>>>>>>>>>> importantly: Are there any reasons against implementing such a >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>> feature? >>>>>>>> >>>>>>>> >>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>> You could always add a whitelist for outbound requests, but >>>>>>>>>>>> you'd >>>>>>>>>>>> have >>>>>>>>>>>> to >>>>>>>>>>>> do >>>>>>>>>>>> a custom http fetcher implementation. >>>>>>>>>>>> >>>>>>>>>>>> The java version is currently returning all proxied files as >>>>>>>>>>>> attachments, >>>>>>>>>>>> which has helped significantly with reducing the potential of >>>>>>>>>>>> /gadgets/proxy >>>>>>>>>>>> as a phishing vector or free Akamai. >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>>> Best Regards, >>>>>>>>>>>>> >>>>>>>>>>>>> Karsten Beyer >>>>>>>>>>>>> [EMAIL PROTECTED] >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>> -- >>>>>>>>>>> .-. --- .--. ..- >>>>>>>>>>> R o p u >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>> >>>>>>>> >>>>> >>>>> >>> >
![http://shindig/proxy?url=http://myhost.com/some/image.gif"](http://shindig/proxy?url=http://myhost.com/some/image.gif"){kind=link}
