Admins could correlate X-User-IP (or X-Forwarded-For) headers against
the address of the Shindig proxy. This isn't bullet-proof, but it is
much better than providing an anonymous open proxy for anyone to
abuse.
Cheers,
Brian
On Mon, Feb 25, 2008 at 3:38 PM, Kevin Brown <[EMAIL PROTECTED]> wrote:
> Do we really want to promote them checking X-User-IP though? Couldn't an
> abusive user just send this IP anyway?
>
> It's probably useful to send it for systems that have some sort of DOS
> prevention mechanism though, but I'm not sure we should encourage anyone to
> actually rely on it.
>
>
>
> On Mon, Feb 25, 2008 at 3:22 PM, Brian Eaton <[EMAIL PROTECTED]> wrote:
>
> > [EMAIL PROTECTED],
> > [EMAIL PROTECTED]
> >
> > Should the open proxy in Shindig forward an X-User-IP header with the
> > client's IP to servers the client instructs us to contact?
> >
> > I'm concerned that the open proxy in Shindig will become a vector for
> > abuse. Sending the client IP will make it slightly easier for the
> > admins of targeted servers to blame the perpetrator rather than the
> > Shindig server.
> >
> > Cheers,
> > Brian
> >
> >
> > ---------- Forwarded message ----------
> > From: Kevin Brown <[EMAIL PROTECTED]>
> > Date: Mon, Feb 25, 2008 at 3:18 PM
> > Subject: Re: Passing in the client IP
> > To: [EMAIL PROTECTED]
> >
> >
> > That's a discussion worth having on the shindig mailing list,
> > probably, but it's a different issue than what I think Paul is trying
> > to address.
> >
> >
> >
> > On Mon, Feb 25, 2008 at 3:13 PM, Brian Eaton <[EMAIL PROTECTED]> wrote:
> >
> > >
> > > Providing an X-User-IP header for requests sent through the proxy
> > > service might help reduce abuse of the open proxy in Shindig.
> > >
> > >
> > > On Mon, Feb 25, 2008 at 11:38 AM, Bruno Bowden <[EMAIL PROTECTED]> wrote:
> > >
> > >
> > >
> > > > Geolocation is difficult to do well. For example AOL users across the
> > > > country getting mapped to the same IP address in Virginia. User
> > preference
> > > > data can be helpful but what if they travel? There's also serious
> > issues
> > > > surrounding user privacy, which vary from country to country.
> > > >
> > > > Ultimately it should be Shindig's responsibility to draw on as much
> > > > information sources as possible and make a best guess.
> > > >
> > > > Syntax:
> > > > Use ints for lat / lon, representing data in microdegrees (more
> > accuracy
> > > > than using a 4 byte float). This gives up to 14m resolution, so the IP
> > > > geotargeting will be a more limiting factor. For example, 145 degrees
> > =>
> > > > 145,000,000.
> > > >
> > > > Example:
> > > > var prefs = new gadgets.Prefs();
> > > > var lat = prefs.getString("lat");
> > > > var long = prefs.getString("long");
> > > >
> > > >
> > > >
> > > >
> > > > On Mon, Feb 25, 2008 at 7:03 AM, Kevin Marks <[EMAIL PROTECTED]>
> > wrote:
> > > >
> > > > > Why not use the location information in the viewer/owner person info
> > for
> > > > this?
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > > > On Mon, Feb 25, 2008 at 2:21 AM, Paul Lindner <[EMAIL PROTECTED]>
> > wrote:
> > > > >
> > > > > > At a recent hackathon a developer wanted to be able to query the
> > IP
> > > > > > address of the client invoking the gadget. The developer wanted
> > to
> > > > > > use this for geolocation.
> > > > > >
> > > > > > Considering that it might be useful to include other http headers
> > too,
> > > > > > cookies, languages, etc.
> > > > > >
> > > > > > It seems like it would be fairly easy for the gadget server to
> > inject
> > > > > > this information.
> > > > > >
> > > > > > I am unsure what the API to access this information would be like.
> > > > > >
> > > > > > --
> > > > > > Paul Lindner ||||| | | | | | | | | |
> > > > > > [EMAIL PROTECTED]
> > > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > >
> > > >
> > > > >
> > > >
> > >
> > >
> > >
> >
> >
> >
> > --
> > ~Kevin
> >
> > If you received this email by mistake, please delete it, cancel your
> > mail account, destroy your hard drive, silence any witnesses, and burn
> > down the building that you're in.
> >
> >
> > --~--~---------~--~----~------------~-------~--~----~
> > You received this message because you are subscribed to the Google
> > Groups "OpenSocial and Gadgets Specification Discussion" group.
> > To post to this group, send email to
> > [EMAIL PROTECTED]
> > To unsubscribe from this group, send email to
> > [EMAIL PROTECTED]
> > For more options, visit this group at
> > http://groups.google.com/group/opensocial-and-gadgets-spec?hl=en
> > -~----------~----~----~----~------~----~------~--~---
> >
>
>
>
> --
> ~Kevin
>
> If you received this email by mistake, please delete it, cancel your mail
> account, destroy your hard drive, silence any witnesses, and burn down the
> building that you're in.
>
