On Fri, Dec 19, 2008 at 3:31 PM, Jamey Wood <jamey.w...@sun.com> wrote: > "normal" operation, the only references to it should come from Shindig's own > rewriting process? If so, what if that rewriting process included a > signature value as an additional param, e.g.: > > img src=http://isolation.modules.com/proxy?sig=<sig>&url=<real_url>
This might work, assuming no javascript is actually calling gadgets.io.getProxyUrl. I suspect including the security token would be easier. Lack of a security token could also degrade gracefully, for most content the proxy could return a 302 to the real URL. You could probably disable the open proxy entirely, though you would have to give up the content rewriting performance boost.
