svn commit: r1073988 - in /shindig/trunk/features/src/main/javascript/features/rpc: rmr.transport.js rpc.js wpm.transport.js

Wed, 23 Feb 2011 15:33:08 -0800 

Author: johnh
Date: Wed Feb 23 23:32:44 2011
New Revision: 1073988

URL: http://svn.apache.org/viewvc?rev=1073988&view=rev
Log:
Add 'origin' as a verified field on the 'this' bound to gadgets.rpc callback 
handlers.

This field is provided only when the underlying transport can guarantee the 
schema://authority of the party making the request - currently 
window.postMessage and RMR transports. Flash will come soon to round out 
support for all browsers.

The full 'origin', as best as known, is actually used so that the field can be 
used for stats-taking and referrer-passing as well, though use in this way is 
not guaranteed to be 100% accurate since a given requestor from the same 
schema://authority can claim any path.


Modified:
    shindig/trunk/features/src/main/javascript/features/rpc/rmr.transport.js
    shindig/trunk/features/src/main/javascript/features/rpc/rpc.js
    shindig/trunk/features/src/main/javascript/features/rpc/wpm.transport.js

Modified: 
shindig/trunk/features/src/main/javascript/features/rpc/rmr.transport.js
URL: 
http://svn.apache.org/viewvc/shindig/trunk/features/src/main/javascript/features/rpc/rmr.transport.js?rev=1073988&r1=1073987&r2=1073988&view=diff
==============================================================================
--- shindig/trunk/features/src/main/javascript/features/rpc/rmr.transport.js 
(original)
+++ shindig/trunk/features/src/main/javascript/features/rpc/rmr.transport.js 
Wed Feb 23 23:32:44 2011
@@ -54,6 +54,8 @@ if (!gadgets.rpctx.rmr) {  // make lib r
     // per gadget stored under the gadget's ID.
     var rmr_channels = {};
 
+    var parentParam = gadgets.util.getUrlParameters()['parent'];
+
     var process;
     var ready;
 
@@ -134,7 +136,7 @@ if (!gadgets.rpctx.rmr) {  // make lib r
       var relayUri = gadgets.rpc.getRelayUrl(frameId);
       if (!relayUri) {
         relayUri =
-            gadgets.rpc.getOrigin(gadgets.util.getUrlParameters()['parent']) +
+            gadgets.rpc.getOrigin(parentParam);
             '/robots.txt';
       }
 
@@ -369,7 +371,12 @@ if (!gadgets.rpctx.rmr) {  // make lib r
         }
 
         ++channel.recvId;
-        process(rpc);  // actually dispatch the message
+
+        // Best-effort at determining origin. Use parent param if relayUri's
+        // origin matches that of the relayUri; else use relayUri.
+        var origin = gadgets.rpc.getOrigin(parentParam) == 
gadgets.rpc.getOrigin(channel.relayUri)
+            ? parentParam : channel.relayUri;
+        process(rpc, origin);  // actually dispatch the message
       }
 
       // Send an ACK indicating that we got/processed the message(s).

Modified: shindig/trunk/features/src/main/javascript/features/rpc/rpc.js
URL: 
http://svn.apache.org/viewvc/shindig/trunk/features/src/main/javascript/features/rpc/rpc.js?rev=1073988&r1=1073987&r2=1073988&view=diff
==============================================================================
--- shindig/trunk/features/src/main/javascript/features/rpc/rpc.js (original)
+++ shindig/trunk/features/src/main/javascript/features/rpc/rpc.js Wed Feb 23 
23:32:44 2011
@@ -98,6 +98,18 @@ if (!gadgets.rpc) { // make lib resilien
      */
     var ID_ORIGIN_DELIMITER = '|';
 
+    /**
+     * @const
+     * @private
+     */
+    var RPC_KEY_CALLBACK = 'callback';
+
+    /**
+     * @const
+     * @private
+     */
+    var RPC_KEY_ORIGIN = 'origin';
+
     var services = {};
     var relayUrl = {};
     var useLegacyProtocol = {};
@@ -241,11 +253,15 @@ if (!gadgets.rpc) { // make lib resilien
     }
 
     /**
-     * Helper function to process an RPC request
+     * Helper function that performs actual processing of an RPC request.
+     * Origin is passed in separately to ensure that it cannot be spoofed,
+     * and guard code in the method ensures the same before dispatching
+     * any service handler.
      * @param {Object} rpc RPC request object.
+     * @param {String} opt_origin Verified origin of the rpc sender, if 
available.
      * @private
      */
-    function process(rpc) {
+    function process(rpc, opt_origin) {
       //
       // RPC object contents:
       //   s: Service Name
@@ -291,11 +307,15 @@ if (!gadgets.rpc) { // make lib resilien
         //   }, 1000);
         // }
         if (rpc['c']) {
-          rpc['callback'] = function(result) {
+          rpc[RPC_KEY_CALLBACK] = function(result) {
             gadgets.rpc.call(rpc['f'], CALLBACK_NAME, null, rpc['c'], result);
           };
         }
 
+        // Set the requestor origin.
+        // If not passed by the transport, then this simply sets to undefined.
+        rpc[RPC_KEY_ORIGIN] = opt_origin;
+
         // Call the requested RPC service.
         var result = (services[rpc['s']] ||
             services[DEFAULT_NAME]).apply(rpc, rpc['a']);

Modified: 
shindig/trunk/features/src/main/javascript/features/rpc/wpm.transport.js
URL: 
http://svn.apache.org/viewvc/shindig/trunk/features/src/main/javascript/features/rpc/wpm.transport.js?rev=1073988&r1=1073987&r2=1073988&view=diff
==============================================================================
--- shindig/trunk/features/src/main/javascript/features/rpc/wpm.transport.js 
(original)
+++ shindig/trunk/features/src/main/javascript/features/rpc/wpm.transport.js 
Wed Feb 23 23:32:44 2011
@@ -115,7 +115,7 @@ if (!gadgets.rpctx.wpm) {  // make lib r
           return;
         }
       }
-      process(rpc);
+      process(rpc, packet.origin);
     }
 
     return {

Reply via email to