On Wed, Jul 16, 2008 at 2:03 PM, Emilio Daniel González <[EMAIL PROTECTED]> wrote:
> btw, why all the files that pass through the proxy are named as "p.txt"? > it's a convention or what? the "p" is arbitrary (it stands for proxy). The .txt extension generally causes the file to be opened in a text editor rather than the web browser (either that or the user gets a download dialog). Most other extensions would be loaded in the browser (making the technique ineffective) or blocked by security software. > > On Wed, Jul 16, 2008 at 5:58 PM, Chris Chabot <[EMAIL PROTECTED]> wrote: > > > So how does it prevent the use of the proxy as a 'free Akamai' when > people > > can use it for their images/etc? > > > > > > On Jul 16, 2008, at 10:52 PM, Kevin Brown wrote: > > > > Yes, it works under that use case. Sending it as an attachment does not > >> interfere with legitimate use of the proxy as it does not impact img, > >> object, embed, script, or link elements or style sheet imports. > >> > >> On Wed, Jul 16, 2008 at 1:46 PM, Ropu <[EMAIL PROTECTED]> wrote: > >> > >> hi > >>> > >>> i have a question. > >>> > >>> will sending proxy results as attachment work with this example? > >>> * > >>> Let the container cache your dynamic content* > >>> http://code.google.com/apis/opensocial/articles/latency/#dynamic > >>> > >>> The gadgets.io.getProxyUrl function will return the location of the > >>> cached > >>> version of the URL you provide, including images, JavaScript, and CSS. > So > >>> instead of using the URL of content hosted on your server, like this: > >>> > >>> function showImage() { > >>> imgUrl = 'http://www.example.com/i_heart_apis_sm.png'; > >>> html = ['<img src="', imgUrl, '">']; > >>> document.getElementById('dom_handle').innerHTML = html.join(''); > >>> }; > >>> > >>> showImage(); > >>> > >>> you can use the URL of the cached content, like this: > >>> > >>> function showImage() { > >>> imgUrl = 'http://www.example.com/i_heart_apis_sm.png'; > >>> *cachedUrl = gadgets.io.getProxyUrl(imgUrl);* > >>> html = ['<img src="', *cachedUrl*, '">']; > >>> document.getElementById('dom_handle').innerHTML = html.join(''); > >>> }; > >>> > >>> > >>> showImage(); > >>> > >>> > >>> > >>> if so, its preventing "free akamai"or phishing? > >>> > >>> said this, or the example is wrong (and we are limiting functionality) > or > >>> the solution is partial (or im completely mixed up :P) > >>> > >>> ropu > >>> > >>> On Fri, Jul 11, 2008 at 2:45 PM, Kevin Brown <[EMAIL PROTECTED]> wrote: > >>> > >>> On Fri, Jul 11, 2008 at 2:20 AM, Karsten Beyer <[EMAIL PROTECTED]> > wrote: > >>>> > >>>> Hi, > >>>>> > >>>>> what is the suggested strategy to prevent abuse of the open proxy at > >>>>> /gadgets/proxy? I found some old discussions from february about > adding > >>>>> > >>>> the > >>>> > >>>>> IP address of the user as HTTP header. Some testing however showed > that > >>>>> > >>>> this > >>>> > >>>>> is not yet implemented. > >>>>> > >>>>> Are there any plans to implement some kind of whitelist feature? More > >>>>> importantly: Are there any reasons against implementing such a > feature? > >>>>> > >>>> > >>>> > >>>> You could always add a whitelist for outbound requests, but you'd have > >>>> to > >>>> do > >>>> a custom http fetcher implementation. > >>>> > >>>> The java version is currently returning all proxied files as > >>>> attachments, > >>>> which has helped significantly with reducing the potential of > >>>> /gadgets/proxy > >>>> as a phishing vector or free Akamai. > >>>> > >>>> > >>>> > >>>>> > >>>>> > >>>>> Best Regards, > >>>>> > >>>>> Karsten Beyer > >>>>> [EMAIL PROTECTED] > >>>>> > >>>>> > >>>>> > >>>>> > >>>>> > >>>> > >>> > >>> > >>> -- > >>> .-. --- .--. ..- > >>> R o p u > >>> > >>> > > >
