Problem: Whitelisting headers will inevitably miss some (Slug:?) which some gadget will need somewhere.
Same issue that the W3C is struggling with over cross-site requests for browsers. Possibly that discussion has come up with a good blacklist... I know that black lists aren't good security, but... On Mon, Mar 17, 2008 at 5:49 AM, Brian Eaton (JIRA) <[EMAIL PROTECTED]> wrote: > forwarding browser headers on remote content requests > ----------------------------------------------------- > > Key: SHINDIG-133 > URL: https://issues.apache.org/jira/browse/SHINDIG-133 > Project: Shindig > Issue Type: Bug > Components: Gadgets Server - Java > Reporter: Brian Eaton > > > There is some fairly dodgy code in ProxyHandler.java. If a GET request > shows up at the server, nearly all of the headers sent from the browser are > forwarded to the backend. This should be replaced with a white list of > headers that are OK to copy out of the request. > > As an example of various things that are likely to go wrong with the current > code: > - cookies will be forwarded (and yes, I know gadgets shouldn't have cookies, > but if they do we shouldn't leak them this way.) > - some hop by hop headers will be forwarded > > There are probably other issues. > > Problem code is here: > > if ("POST".equals(method)) { > .... > } else { > postBody = null; > headers = new HashMap<String, List<String>>(); > Enumeration<String> headerNames = request.getHeaderNames(); > while (headerNames.hasMoreElements()) { > String header = headerNames.nextElement(); > headers.put(header, Collections.list(request.getHeaders(header))); > } > } > > removeUnsafeHeaders(headers); > > > -- > This message is automatically generated by JIRA. > - > You can reply to this email to add a comment to the issue online. > >
