On Tue, Mar 11, 2008 at 11:34 AM, Felix Meschberger <[EMAIL PROTECTED]> wrote:
> ... * Sling may therefore be used for attacks where the root of the attack > is hidden > > * We shift the cross-domain limitation from the client to the server > and burden the server with protection against dangers.... Agreed - we could use a configurable list of URL prefixes (like www.somewhere.com/somepath) to which proxy requests are allowed, and set a very restrictive default value that would only allow our tests and demos to run. And maybe add a header to the proxied requests that shows that Sling was involved in it. I think the problem is no different than people using mod_proxy to do that, our responsibility is IMHO limited to make people aware of the issues, which could be done in the description of the above "proxy requests patterns" configuration property. -Bertrand