Brian is referring to passing it to the end points (such as the proxy handler). Passing it on the hash to the iframe is the only way to get it into the iframe at all.
On Jan 29, 2008 12:43 PM, Bruno Bowden <[EMAIL PROTECTED]> wrote: > The contents after the hash is not included in the referrer. > > > http://www.corp.google.com/~bruno/gadgets/tmp/referrer-source.html#t=token<http://www.corp.google.com/%7Ebruno/gadgets/tmp/referrer-source.html#t=token> > < > http://www.corp.google.com/%7Ebruno/gadgets/tmp/referrer-source.html#t=token > > > > Compare this to passing it after a "?", in which case the referrer does > leak > the token in the url: > > > http://www.corp.google.com/~bruno/gadgets/tmp/referrer-source.html?t=token<http://www.corp.google.com/%7Ebruno/gadgets/tmp/referrer-source.html?t=token> > < > http://www.corp.google.com/%7Ebruno/gadgets/tmp/referrer-source.html?t=token > > > We use this behaviour in Gadget Ads and iGoogle to hide similar sensitive > data. > > Passing it in the header is still more secure though. > > > > > On Jan 29, 2008 12:13 PM, Paul Lindner <[EMAIL PROTECTED]> wrote: > > > On Tue, Jan 29, 2008 at 12:03:57PM -0800, Brian Eaton wrote: > > > Hey folks - > > > > > > When initializing a gadget it seems like the best place to put the > > > gadget token is in the URL fragment, i.e. > > > http://somegadget.com/foo.xml#t=token. What about when the token is > > > returned to the gadget server for authenticated requests? The > > > ProxyHandler code currently looks for the gadget token in the 't' > > > request parameter, but I'd like to move it to an HTTP header. URL > > > parameters tend to leak via the referer header, so moving the gadget > > > token out of the URL would be security win. > > > > My gadgets.js has this. > > > > > > @@ -499,7 +500,7 @@ > > return this.serverBase_ + 'ifr?url=' + > > encodeURIComponent(this.specUrl) + '&synd=' + this.SYND + > > '&mid=' + > > this.id + '&parent=' + encodeURIComponent( > > gadgets.container.parentUrl_) + > > - '&ogc=' + document.location.host + this.getUserPrefsParams(); > > + '&ogc=' + document.location.host + this.getUserPrefsParams() + > '#' > > + this.hashState; > > }; > > > > gadgets.IfrGadget.prototype.getUserPrefsParams = function() { > > > > > > When you add a gadget you specify: > > > > var gadget = gadgets.container.createGadget({specUrl: specUrl0, > > hashState: 'xxxxxxx'}); > > > > I'll try and bundle up my changes for general consumption.. > > > > > > -- > > Paul Lindner > > hi5 Architect > > [EMAIL PROTECTED] > > >
