Re: gadget token location

Tue, 29 Jan 2008 12:48:31 -0800 

Public list, public urls:

http://brunobowden.dreamhosters.com/gadgets/tmp/referrer-source.html#t=token

http://brunobowden.dreamhosters.com/gadgets/tmp/referrer-source.html?t=token


On Jan 29, 2008 12:43 PM, Bruno Bowden <[EMAIL PROTECTED]> wrote:

> The contents after the hash is not included in the referrer.
>
>
> http://www.corp.google.com/~bruno/gadgets/tmp/referrer-source.html#t=token<http://www.corp.google.com/%7Ebruno/gadgets/tmp/referrer-source.html#t=token>
>
> Compare this to passing it after a "?", in which case the referrer does
> leak the token in the url:
>
>
> http://www.corp.google.com/~bruno/gadgets/tmp/referrer-source.html?t=token
> <http://www.corp.google.com/%7Ebruno/gadgets/tmp/referrer-source.html?t=token>
> We use this behaviour in Gadget Ads and iGoogle to hide similar sensitive
> data.
>
> Passing it in the header is still more secure though.
>
>
>
>
>
> On Jan 29, 2008 12:13 PM, Paul Lindner <[EMAIL PROTECTED]> wrote:
>
> > On Tue, Jan 29, 2008 at 12:03:57PM -0800, Brian Eaton wrote:
> > > Hey folks -
> > >
> > > When initializing a gadget it seems like the best place to put the
> > > gadget token is in the URL fragment, i.e.
> > > http://somegadget.com/foo.xml#t=token.  What about when the token is
> > > returned to the gadget server for authenticated requests?  The
> > > ProxyHandler code currently looks for the gadget token in the 't'
> > > request parameter, but I'd like to move it to an HTTP header.  URL
> > > parameters tend to leak via the referer header, so moving the gadget
> > > token out of the URL would be security win.
> >
> > My gadgets.js has this.
> >
> >
> > @@ -499,7 +500,7 @@
> >   return this.serverBase_ + 'ifr?url=' +
> >       encodeURIComponent(this.specUrl) + '&synd=' + this.SYND +
> > '&mid=' +
> >       this.id + '&parent=' + encodeURIComponent(
> > gadgets.container.parentUrl_) +
> > -      '&ogc=' + document.location.host + this.getUserPrefsParams();
> > +      '&ogc=' + document.location.host + this.getUserPrefsParams() +
> > '#' + this.hashState;
> >  };
> >
> >  gadgets.IfrGadget.prototype.getUserPrefsParams = function() {
> >
> >
> > When you add a gadget you specify:
> >
> >  var gadget = gadgets.container.createGadget({specUrl: specUrl0,
> >                                               hashState: 'xxxxxxx'});
> >
> > I'll try and bundle up my changes for general consumption..
> >
> >
> > --
> > Paul Lindner
> > hi5 Architect
> > [EMAIL PROTECTED]
> >
>
>

Reply via email to