Re: How to prevent abuse of the proxy

Wed, 16 Jul 2008 13:58:35 -0700

So how does it prevent the use of the proxy as a 'free Akamai' when people can use it for their images/etc? 

On Jul 16, 2008, at 10:52 PM, Kevin Brown wrote:
Yes, it works under that use case. Sending it as an attachment does not 
interfere with legitimate use of the proxy as it does not impact img,
object, embed, script, or link elements or style sheet imports.

On Wed, Jul 16, 2008 at 1:46 PM, Ropu <[EMAIL PROTECTED]> wrote:


hi

i have a question.

will sending proxy results as attachment work with this example?
*
Let the container cache your dynamic content*
http://code.google.com/apis/opensocial/articles/latency/#dynamic
The gadgets.io.getProxyUrl function will return the location of the cached version of the URL you provide, including images, JavaScript, and CSS. So 
instead of using the URL of content hosted on your server, like this:

function showImage() {
imgUrl = 'http://www.example.com/i_heart_apis_sm.png';
html = ['<img src="', imgUrl, '">'];
document.getElementById('dom_handle').innerHTML = html.join('');
};

showImage();

you can use the URL of the cached content, like this:

function showImage() {
imgUrl = 'http://www.example.com/i_heart_apis_sm.png';
*cachedUrl = gadgets.io.getProxyUrl(imgUrl);*
html = ['<img src="', *cachedUrl*, '">'];
document.getElementById('dom_handle').innerHTML = html.join('');
};


showImage();



if so, its preventing "free akamai"or phishing?
said this, or the example is wrong (and we are limiting functionality) or 
the solution is partial (or im completely mixed up :P)

ropu

On Fri, Jul 11, 2008 at 2:45 PM, Kevin Brown <[EMAIL PROTECTED]> wrote:
On Fri, Jul 11, 2008 at 2:20 AM, Karsten Beyer <[EMAIL PROTECTED]> wrote: 


Hi,
what is the suggested strategy to prevent abuse of the open proxy at /gadgets/proxy? I found some old discussions from february about adding 
the
IP address of the user as HTTP header. Some testing however showed that 
this

is not yet implemented.
Are there any plans to implement some kind of whitelist feature? More importantly: Are there any reasons against implementing such a feature?
You could always add a whitelist for outbound requests, but you'd have to 
do
a custom http fetcher implementation.
The java version is currently returning all proxied files as attachments, 
which has helped significantly with reducing the potential of
/gadgets/proxy
as a phishing vector or free Akamai.






Best Regards,

Karsten Beyer
[EMAIL PROTECTED]










--
.-. --- .--. ..-
R o p u

Reply via email to