Hello everyone, I’m currently evaluating shindig as Open Social Container for our project which should be a public site. I checked the code and I have the following security concern: In my opinion u could use at least the servlets GadgetRenderingServlet, ConcatProxyServlet and JsServlet to request any resource from the internet via the shindig server. For example by using: http://opensocial.test:8080/shindig/gadgets/concat?container=default&gadget=http%3A%2F%2Fgadget.test%3A8080%2Fwebapp%2Fgadget&debug=1&nocache=1&type=js&1=http%3A%2F%2Fwww.google.com to request the Google page. This could be used for local IPs to, like 1=http%3A%2F%2Flocalhost%2Fsecret Whats the proposed way to make this secure? I can think about the following ways: 1.) Use a filter for the servlets und restrict the access by programmatically checking the parameters 2.) Use a firewall to restrict access for the webapp container Thanks and best regards Tom ___________________________________________________________ Schon gehört? WEB.DE hat einen genialen Phishing-Filter in die Toolbar eingebaut! http://produkte.web.de/go/toolbar
