The contents after the hash is not included in the referrer.
http://www.corp.google.com/~bruno/gadgets/tmp/referrer-source.html#t=token<http://www.corp.google.com/%7Ebruno/gadgets/tmp/referrer-source.html#t=token> Compare this to passing it after a "?", in which case the referrer does leak the token in the url: http://www.corp.google.com/~bruno/gadgets/tmp/referrer-source.html?t=token <http://www.corp.google.com/%7Ebruno/gadgets/tmp/referrer-source.html?t=token> We use this behaviour in Gadget Ads and iGoogle to hide similar sensitive data. Passing it in the header is still more secure though. On Jan 29, 2008 12:13 PM, Paul Lindner <[EMAIL PROTECTED]> wrote: > On Tue, Jan 29, 2008 at 12:03:57PM -0800, Brian Eaton wrote: > > Hey folks - > > > > When initializing a gadget it seems like the best place to put the > > gadget token is in the URL fragment, i.e. > > http://somegadget.com/foo.xml#t=token. What about when the token is > > returned to the gadget server for authenticated requests? The > > ProxyHandler code currently looks for the gadget token in the 't' > > request parameter, but I'd like to move it to an HTTP header. URL > > parameters tend to leak via the referer header, so moving the gadget > > token out of the URL would be security win. > > My gadgets.js has this. > > > @@ -499,7 +500,7 @@ > return this.serverBase_ + 'ifr?url=' + > encodeURIComponent(this.specUrl) + '&synd=' + this.SYND + > '&mid=' + > this.id + '&parent=' + encodeURIComponent( > gadgets.container.parentUrl_) + > - '&ogc=' + document.location.host + this.getUserPrefsParams(); > + '&ogc=' + document.location.host + this.getUserPrefsParams() + '#' > + this.hashState; > }; > > gadgets.IfrGadget.prototype.getUserPrefsParams = function() { > > > When you add a gadget you specify: > > var gadget = gadgets.container.createGadget({specUrl: specUrl0, > hashState: 'xxxxxxx'}); > > I'll try and bundle up my changes for general consumption.. > > > -- > Paul Lindner > hi5 Architect > [EMAIL PROTECTED] >
