On Mon, Feb 25, 2008 at 5:08 PM, Kevin Brown <[EMAIL PROTECTED]> wrote:
> I'm also a little concerned about privacy here. Do we really want the
> gadget
> authors to be able to get the user's IP? For abuse purposes, I'm OK with
> some sort of obfuscated identifier (a salted hash of the IP, perhaps), but
> this seems potentially dangerous. Of course, they could still get the IP
> anyway using redirects, so maybe this isn't such a big deal.
You could do it even simpler than than. Just src some javascript where the
server returns code that sets a variable to your IP address.
> Anyway, I'm +1 on preventing abuse in proxies, but I don't think this is a
> complete solution.
>
> On Mon, Feb 25, 2008 at 4:56 PM, Brian Eaton <[EMAIL PROTECTED]> wrote:
>
> > Admins could correlate X-User-IP (or X-Forwarded-For) headers against
> > the address of the Shindig proxy. This isn't bullet-proof, but it is
> > much better than providing an anonymous open proxy for anyone to
> > abuse.
> >
> > Cheers,
> > Brian
> >
> > On Mon, Feb 25, 2008 at 3:38 PM, Kevin Brown <[EMAIL PROTECTED]> wrote:
> > > Do we really want to promote them checking X-User-IP though? Couldn't
> an
> > > abusive user just send this IP anyway?
> > >
> > > It's probably useful to send it for systems that have some sort of
> DOS
> > > prevention mechanism though, but I'm not sure we should encourage
> > anyone to
> > > actually rely on it.
> > >
> > >
> > >
> > > On Mon, Feb 25, 2008 at 3:22 PM, Brian Eaton <[EMAIL PROTECTED]>
> wrote:
> > >
> > > > [EMAIL PROTECTED],
> > > > [EMAIL PROTECTED]
> > > >
> > > > Should the open proxy in Shindig forward an X-User-IP header with
> the
> > > > client's IP to servers the client instructs us to contact?
> > > >
> > > > I'm concerned that the open proxy in Shindig will become a vector
> for
> > > > abuse. Sending the client IP will make it slightly easier for the
> > > > admins of targeted servers to blame the perpetrator rather than the
> > > > Shindig server.
> > > >
> > > > Cheers,
> > > > Brian
> > > >
> > > >
> > > > ---------- Forwarded message ----------
> > > > From: Kevin Brown <[EMAIL PROTECTED]>
> > > > Date: Mon, Feb 25, 2008 at 3:18 PM
> > > > Subject: Re: Passing in the client IP
> > > > To: [EMAIL PROTECTED]
> > > >
> > > >
> > > > That's a discussion worth having on the shindig mailing list,
> > > > probably, but it's a different issue than what I think Paul is
> trying
> > > > to address.
> > > >
> > > >
> > > >
> > > > On Mon, Feb 25, 2008 at 3:13 PM, Brian Eaton <[EMAIL PROTECTED]>
> > wrote:
> > > >
> > > > >
> > > > > Providing an X-User-IP header for requests sent through the proxy
> > > > > service might help reduce abuse of the open proxy in Shindig.
> > > > >
> > > > >
> > > > > On Mon, Feb 25, 2008 at 11:38 AM, Bruno Bowden <[EMAIL PROTECTED]>
> > wrote:
> > > > >
> > > > >
> > > > >
> > > > > > Geolocation is difficult to do well. For example AOL users
> across
> > the
> > > > > > country getting mapped to the same IP address in Virginia. User
> > > > preference
> > > > > > data can be helpful but what if they travel? There's also
> serious
> > > > issues
> > > > > > surrounding user privacy, which vary from country to country.
> > > > > >
> > > > > > Ultimately it should be Shindig's responsibility to draw on as
> > much
> > > > > > information sources as possible and make a best guess.
> > > > > >
> > > > > > Syntax:
> > > > > > Use ints for lat / lon, representing data in microdegrees (more
> > > > accuracy
> > > > > > than using a 4 byte float). This gives up to 14m resolution, so
> > the IP
> > > > > > geotargeting will be a more limiting factor. For example, 145
> > degrees
> > > > =>
> > > > > > 145,000,000.
> > > > > >
> > > > > > Example:
> > > > > > var prefs = new gadgets.Prefs();
> > > > > > var lat = prefs.getString("lat");
> > > > > > var long = prefs.getString("long");
> > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > > On Mon, Feb 25, 2008 at 7:03 AM, Kevin Marks <
> > [EMAIL PROTECTED]>
> > > > wrote:
> > > > > >
> > > > > > > Why not use the location information in the viewer/owner
> person
> > info
> > > > for
> > > > > > this?
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > On Mon, Feb 25, 2008 at 2:21 AM, Paul Lindner <
> > [EMAIL PROTECTED]>
> > > > wrote:
> > > > > > >
> > > > > > > > At a recent hackathon a developer wanted to be able to
> query
> > the
> > > > IP
> > > > > > > > address of the client invoking the gadget. The developer
> > wanted
> > > > to
> > > > > > > > use this for geolocation.
> > > > > > > >
> > > > > > > > Considering that it might be useful to include other http
> > headers
> > > > too,
> > > > > > > > cookies, languages, etc.
> > > > > > > >
> > > > > > > > It seems like it would be fairly easy for the gadget server
> > to
> > > > inject
> > > > > > > > this information.
> > > > > > > >
> > > > > > > > I am unsure what the API to access this information would
> be
> > like.
> > > > > > > >
> > > > > > > > --
> > > > > > > > Paul Lindner ||||| | | | | | | | | |
> > > > > > > > [EMAIL PROTECTED]
> > > > > > > >
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > >
> > > > > >
> > > > > > >
> > > > > >
> > > > >
> > > > >
> > > > >
> > > >
> > > >
> > > >
> > > > --
> > > > ~Kevin
> > > >
> > > > If you received this email by mistake, please delete it, cancel
> your
> > > > mail account, destroy your hard drive, silence any witnesses, and
> > burn
> > > > down the building that you're in.
> > > >
> > > >
> > > > --~--~---------~--~----~------------~-------~--~----~
> > > > You received this message because you are subscribed to the Google
> > > > Groups "OpenSocial and Gadgets Specification Discussion" group.
> > > > To post to this group, send email to
> > > > [EMAIL PROTECTED]
> > > > To unsubscribe from this group, send email to
> > > > [EMAIL PROTECTED]
> > > > For more options, visit this group at
> > > > http://groups.google.com/group/opensocial-and-gadgets-spec?hl=en
> > > > -~----------~----~----~----~------~----~------~--~---
> > > >
> > >
> > >
> > >
> > > --
> > > ~Kevin
> > >
> > > If you received this email by mistake, please delete it, cancel your
> > mail
> > > account, destroy your hard drive, silence any witnesses, and burn
> down
> > the
> > > building that you're in.
> > >
> >
>
>
>
> --
> ~Kevin
>
> If you received this email by mistake, please delete it, cancel your mail
> account, destroy your hard drive, silence any witnesses, and burn down the
> building that you're in.
>
