On Wed, Jul 16, 2008 at 2:27 PM, Emilio Daniel González <[EMAIL PROTECTED]> wrote:
> So, if I were a bad guy, can I copy all Internet into the proxy?! =P It's a proxy and therefore isn't really inherently any more dangerous than any other proxy out there. The only real concern was that, since it can be viewed through a browser pointing at the originating host, it can be used as a phishing vector. If you do a whois on gmodules.com, for instance, you'll see that it's owned by Google, and you might not think twice about entering your user name and password. That's bad. > > On Wed, Jul 16, 2008 at 6:07 PM, Kevin Brown <[EMAIL PROTECTED]> wrote: > > > > On Wed, Jul 16, 2008 at 2:03 PM, Emilio Daniel González < > [EMAIL PROTECTED]> > > wrote: > > > > > btw, why all the files that pass through the proxy are named as > "p.txt"? > > > it's a convention or what? > > > > > > the "p" is arbitrary (it stands for proxy). The .txt extension generally > > causes the file to be opened in a text editor rather than the web browser > > (either that or the user gets a download dialog). Most other extensions > > would be loaded in the browser (making the technique ineffective) or > blocked > > by security software. > > > > > > > > > > On Wed, Jul 16, 2008 at 5:58 PM, Chris Chabot <[EMAIL PROTECTED]> > wrote: > > > > > > > So how does it prevent the use of the proxy as a 'free Akamai' when > > > people > > > > can use it for their images/etc? > > > > > > > > > > > > On Jul 16, 2008, at 10:52 PM, Kevin Brown wrote: > > > > > > > > Yes, it works under that use case. Sending it as an attachment does > not > > > >> interfere with legitimate use of the proxy as it does not impact > img, > > > >> object, embed, script, or link elements or style sheet imports. > > > >> > > > >> On Wed, Jul 16, 2008 at 1:46 PM, Ropu <[EMAIL PROTECTED]> wrote: > > > >> > > > >> hi > > > >>> > > > >>> i have a question. > > > >>> > > > >>> will sending proxy results as attachment work with this example? > > > >>> * > > > >>> Let the container cache your dynamic content* > > > >>> http://code.google.com/apis/opensocial/articles/latency/#dynamic > > > >>> > > > >>> The gadgets.io.getProxyUrl function will return the location of the > > > >>> cached > > > >>> version of the URL you provide, including images, JavaScript, and > CSS. > > > So > > > >>> instead of using the URL of content hosted on your server, like > this: > > > >>> > > > >>> function showImage() { > > > >>> imgUrl = 'http://www.example.com/i_heart_apis_sm.png'; > > > >>> html = ['<img src="', imgUrl, '">']; > > > >>> document.getElementById('dom_handle').innerHTML = html.join(''); > > > >>> }; > > > >>> > > > >>> showImage(); > > > >>> > > > >>> you can use the URL of the cached content, like this: > > > >>> > > > >>> function showImage() { > > > >>> imgUrl = 'http://www.example.com/i_heart_apis_sm.png'; > > > >>> *cachedUrl = gadgets.io.getProxyUrl(imgUrl);* > > > >>> html = ['<img src="', *cachedUrl*, '">']; > > > >>> document.getElementById('dom_handle').innerHTML = html.join(''); > > > >>> }; > > > >>> > > > >>> > > > >>> showImage(); > > > >>> > > > >>> > > > >>> > > > >>> if so, its preventing "free akamai"or phishing? > > > >>> > > > >>> said this, or the example is wrong (and we are limiting > functionality) > > > or > > > >>> the solution is partial (or im completely mixed up :P) > > > >>> > > > >>> ropu > > > >>> > > > >>> On Fri, Jul 11, 2008 at 2:45 PM, Kevin Brown <[EMAIL PROTECTED]> > wrote: > > > >>> > > > >>> On Fri, Jul 11, 2008 at 2:20 AM, Karsten Beyer <[EMAIL PROTECTED]> > > > wrote: > > > >>>> > > > >>>> Hi, > > > >>>>> > > > >>>>> what is the suggested strategy to prevent abuse of the open proxy > at > > > >>>>> /gadgets/proxy? I found some old discussions from february about > > > adding > > > >>>>> > > > >>>> the > > > >>>> > > > >>>>> IP address of the user as HTTP header. Some testing however > showed > > > that > > > >>>>> > > > >>>> this > > > >>>> > > > >>>>> is not yet implemented. > > > >>>>> > > > >>>>> Are there any plans to implement some kind of whitelist feature? > More > > > >>>>> importantly: Are there any reasons against implementing such a > > > feature? > > > >>>>> > > > >>>> > > > >>>> > > > >>>> You could always add a whitelist for outbound requests, but you'd > have > > > >>>> to > > > >>>> do > > > >>>> a custom http fetcher implementation. > > > >>>> > > > >>>> The java version is currently returning all proxied files as > > > >>>> attachments, > > > >>>> which has helped significantly with reducing the potential of > > > >>>> /gadgets/proxy > > > >>>> as a phishing vector or free Akamai. > > > >>>> > > > >>>> > > > >>>> > > > >>>>> > > > >>>>> > > > >>>>> Best Regards, > > > >>>>> > > > >>>>> Karsten Beyer > > > >>>>> [EMAIL PROTECTED] > > > >>>>> > > > >>>>> > > > >>>>> > > > >>>>> > > > >>>>> > > > >>>> > > > >>> > > > >>> > > > >>> -- > > > >>> .-. --- .--. ..- > > > >>> R o p u > > > >>> > > > >>> > > > > > > > >
