If I understand it right, client side needs to get the domain prefix
(which is base32(sha1(gadget_url)) for now). There are couple ways to
get it
1) Retrieve the gadget metadata.
the url is included in the gadget metadata (can be obtained via
call to the metadata interface)
2) calculate it in javascript
My question is that DNS must be modified to make all <*.example.com>
(assume example.com is my domain) point to example.com. Is that
right? Otherwise, the domain with hash prefix cannot be resolved?
Gerald
On Wed, Oct 13, 2010 at 7:40 PM, John Hjelmstad <[email protected]> wrote:
> Hi Gabriel:
>
> This is precisely what the "locked-domain" feature does.
>
> The default implementation in Shindig - which Google uses - is to generate a
> URL w/ prefix base32(sha1(gadgetUrl)).
>
> This occurs when:
> A) the gadget requires "locked-domain" explicitly
> B) the gadget requires another feature that has a <dependency> on
> locked-domain
> C) the container is set up (in its ContainerConfig, via key
> "gadgets.uri.iframe.lockedDomainRequired" with type boolean) to demand
> locked-domain for all renders
>
> The validation algorithm is thus:
> A. when a gadget requires locked-domain, it MUST have a locked-domain
> prefix.
> B. if the domain on which a gadget is rendered has *any* valid locked-domain
> *suffix*, mark as invalid.
>
> Doing this ensures the domain isolation of each gadget.
>
> The bulk of this functionality is implemented in the Java implementation in:
> http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/uri/DefaultIframeUriManager.java
>
> INVALID_DOMAIN is returned in the mismatched cases. locked-domain URLs are
> generated if (usingLockedDomain(...)).
>
> The default prefix generator is:
> http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/uri/HashShaLockedDomainPrefixGenerator.java
>
> --j
>
> On Wed, Oct 13, 2010 at 4:29 PM, Gabriel Guardincerri
> <[email protected]>wrote:
>
>> Hi,
>>
>> We would like increase the security of each gadget by having each one in a
>> different subdomain. This is, have each iframe in a different subdomain to
>> use the cross-domain security of the browsers.
>> We found that we can define the urls using our own container.js, but
>> there's
>> no way to assign a different subdomain for each gadget. So, is there a way
>> to make that more dynamic, or to do something else to have a different
>> subdomain for each gadget?
>>
>> Thanks,
>>
>> Gabriel
>>
>
