Hi John, Craig
You mentioned some interesting things about the proxy in your thread, and
I didn't want to hijack it, but I have some tangent questions of my own.
In shindig I see:
ProxyServlet.java
...
// TODO: Consider removing due to redundant logic.
String host = request.getHeader("Host");
if (!lockedDomainService.isSafeForOpenProxy(host)) {
...
But the implementation for isSafeForOpenProxy() is to return false if
domain locking is enabled and the request came in on a locked domain.
>From your conversations about the content-disposition header, it looks
like for Jive and Google the locked gadgets can use the proxy. Do either
of you have any idea why the code is like this in shindig? Is it assumed
to be so implementation specific that no one wanted to even bother with
guessing so they just turned it off?
Do either of you have any good guidelines for an implementation of
isSafeForOpenProxy that allows some use of the proxy from domain locked
gadgets?
