[
https://issues.apache.org/jira/browse/SHINDIG-1216?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Paul Lindner resolved SHINDIG-1216.
-----------------------------------
Resolution: Fixed
Fix Version/s: 1.1-BETA4
> OAuth Proxy should allow for viewer access on secured owner pages.
> ------------------------------------------------------------------
>
> Key: SHINDIG-1216
> URL: https://issues.apache.org/jira/browse/SHINDIG-1216
> Project: Shindig
> Issue Type: Improvement
> Components: Java
> Affects Versions: 1.1-BETA3
> Reporter: Paul Lindner
> Assignee: Paul Lindner
> Fix For: 1.1-BETA4
>
>
> The OAuth proxy currently only allows access when owner == viewer due to
> security concerns. Specifically a malicious owner could place javascript on
> their profile page that could impersonate the viewer if care is not taken.
> For sites that have secured owner pages or 'owner-less' pages we want to
> allow OAuth proxy use for the viewer on any page.
> This will be accomplished by adding a new configuration option and injecting
> it into the oauth fetcher config.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
