Re: Address proxied content forging with new query parameter

1 view
Skip to first unread message

Adam Winer

unread,
Mar 31, 2009, 5:41:23 PM3/31/09
to awi...@gmail.com, bea...@google.com, ♫
Done, new patch uploaded.

On Tue, Mar 31, 2009 at 2:37 PM, <bea...@google.com> wrote:
>
> http://codereview.appspot.com/32091/diff/1/2
> File draft/Gadgets-API-Specification.xml (right):
>
> http://codereview.appspot.com/32091/diff/1/2#newcode677
> Line 677: to distinguish proxied content renders from
> gadgets.io.makeRequest() calls.
> How about:
>
> Remote sites that expect proxied content requests SHOULD reject requests
> that do not have opensocial_proxied_content set to 1.  If a remote site
> fails to implement this check, any content in the POST body may be
> spoofed by a malicious user or application.
>
> http://codereview.appspot.com/32091
>

Adam Winer

unread,
Apr 1, 2009, 4:22:29 PM4/1/09
to awi...@gmail.com, bea...@google.com, ♫
Any objections to the patch as is?  Or +1s?

2009/3/31 Adam Winer <awi...@gmail.com>

Brian Eaton

unread,
Apr 1, 2009, 4:26:42 PM4/1/09
to opensocial-an...@googlegroups.com
+1

2009/4/1 Adam Winer <awi...@gmail.com>:

Chris Chabot

unread,
Apr 1, 2009, 4:27:30 PM4/1/09
to opensocial-an...@googlegroups.com, awi...@gmail.com, bea...@google.com
+1 and i've implemented it in php-shindig too

2009/4/1 Adam Winer <awi...@gmail.com>

Evan Gilbert

unread,
Apr 1, 2009, 4:29:05 PM4/1/09
to opensocial-an...@googlegroups.com
+1

Louis Ryan

unread,
Apr 1, 2009, 4:36:12 PM4/1/09
to opensocial-an...@googlegroups.com
+1

Scott Seely

unread,
Apr 1, 2009, 4:46:01 PM4/1/09
to opensocial-an...@googlegroups.com

Ok.+1

Arne Roomann-Kurrik

unread,
Apr 2, 2009, 4:02:09 PM4/2/09
to opensocial-an...@googlegroups.com
Looks good - I've committed this at http://code.google.com/p/opensocial-resources/source/detail?r=1079

~Arne
--
OpenSocial IRC - irc://irc.freenode.net/opensocial
Reply all
Reply to author
Forward
0 new messages