[
https://issues.apache.org/jira/browse/SHINDIG-1216?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12774752#action_12774752
]
Paul Lindner commented on SHINDIG-1216:
---------------------------------------
code review at http://codereview.appspot.com/149041
> OAuth Proxy should allow for viewer access on secured owner pages.
> ------------------------------------------------------------------
>
> Key: SHINDIG-1216
> URL: https://issues.apache.org/jira/browse/SHINDIG-1216
> Project: Shindig
> Issue Type: Improvement
> Components: Java
> Affects Versions: 1.1-BETA3
> Reporter: Paul Lindner
> Assignee: Paul Lindner
>
> The OAuth proxy currently only allows access when owner == viewer due to
> security concerns. Specifically a malicious owner could place javascript on
> their profile page that could impersonate the viewer if care is not taken.
> For sites that have secured owner pages or 'owner-less' pages we want to
> allow OAuth proxy use for the viewer on any page.
> This will be accomplished by adding a new configuration option and injecting
> it into the oauth fetcher config.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
