That is abuse! I thing...
On Wed, Jul 16, 2008 at 6:34 PM, Chris Chabot <[EMAIL PROTECTED]> wrote: > Well what you -could- do is create a site, and host all the 'images' (lets > pretend this does not involve scantly dressed people) on the pages on img > src="http://shindig/proxy?url=http://myhost.com/some/image.gif"; /> ... and > thus offloading most of the bandwidth used to the proxy instead of the > originating site. > > > > On Jul 16, 2008, at 11:27 PM, Emilio Daniel González wrote: > >> So, if I were a bad guy, can I copy all Internet into the proxy?! =P >> >> On Wed, Jul 16, 2008 at 6:07 PM, Kevin Brown <[EMAIL PROTECTED]> wrote: >>> >>> On Wed, Jul 16, 2008 at 2:03 PM, Emilio Daniel González >>> <[EMAIL PROTECTED]> >>> wrote: >>> >>>> btw, why all the files that pass through the proxy are named as "p.txt"? >>>> it's a convention or what? >>> >>> >>> the "p" is arbitrary (it stands for proxy). The .txt extension generally >>> causes the file to be opened in a text editor rather than the web browser >>> (either that or the user gets a download dialog). Most other extensions >>> would be loaded in the browser (making the technique ineffective) or >>> blocked >>> by security software. >>> >>> >>>> >>>> On Wed, Jul 16, 2008 at 5:58 PM, Chris Chabot <[EMAIL PROTECTED]> wrote: >>>> >>>>> So how does it prevent the use of the proxy as a 'free Akamai' when >>>> >>>> people >>>>> >>>>> can use it for their images/etc? >>>>> >>>>> >>>>> On Jul 16, 2008, at 10:52 PM, Kevin Brown wrote: >>>>> >>>>> Yes, it works under that use case. Sending it as an attachment does not >>>>>> >>>>>> interfere with legitimate use of the proxy as it does not impact img, >>>>>> object, embed, script, or link elements or style sheet imports. >>>>>> >>>>>> On Wed, Jul 16, 2008 at 1:46 PM, Ropu <[EMAIL PROTECTED]> wrote: >>>>>> >>>>>> hi >>>>>>> >>>>>>> i have a question. >>>>>>> >>>>>>> will sending proxy results as attachment work with this example? >>>>>>> * >>>>>>> Let the container cache your dynamic content* >>>>>>> http://code.google.com/apis/opensocial/articles/latency/#dynamic >>>>>>> >>>>>>> The gadgets.io.getProxyUrl function will return the location of the >>>>>>> cached >>>>>>> version of the URL you provide, including images, JavaScript, and >>>>>>> CSS. >>>> >>>> So >>>>>>> >>>>>>> instead of using the URL of content hosted on your server, like this: >>>>>>> >>>>>>> function showImage() { >>>>>>> imgUrl = 'http://www.example.com/i_heart_apis_sm.png'; >>>>>>> html = ['<img src="', imgUrl, '">']; >>>>>>> document.getElementById('dom_handle').innerHTML = html.join(''); >>>>>>> }; >>>>>>> >>>>>>> showImage(); >>>>>>> >>>>>>> you can use the URL of the cached content, like this: >>>>>>> >>>>>>> function showImage() { >>>>>>> imgUrl = 'http://www.example.com/i_heart_apis_sm.png'; >>>>>>> *cachedUrl = gadgets.io.getProxyUrl(imgUrl);* >>>>>>> html = ['<img src="', *cachedUrl*, '">']; >>>>>>> document.getElementById('dom_handle').innerHTML = html.join(''); >>>>>>> }; >>>>>>> >>>>>>> >>>>>>> showImage(); >>>>>>> >>>>>>> >>>>>>> >>>>>>> if so, its preventing "free akamai"or phishing? >>>>>>> >>>>>>> said this, or the example is wrong (and we are limiting >>>>>>> functionality) >>>> >>>> or >>>>>>> >>>>>>> the solution is partial (or im completely mixed up :P) >>>>>>> >>>>>>> ropu >>>>>>> >>>>>>> On Fri, Jul 11, 2008 at 2:45 PM, Kevin Brown <[EMAIL PROTECTED]> wrote: >>>>>>> >>>>>>> On Fri, Jul 11, 2008 at 2:20 AM, Karsten Beyer <[EMAIL PROTECTED]> >>>> >>>> wrote: >>>>>>>> >>>>>>>> Hi, >>>>>>>>> >>>>>>>>> what is the suggested strategy to prevent abuse of the open proxy >>>>>>>>> at >>>>>>>>> /gadgets/proxy? I found some old discussions from february about >>>> >>>> adding >>>>>>>>> >>>>>>>> the >>>>>>>> >>>>>>>>> IP address of the user as HTTP header. Some testing however showed >>>> >>>> that >>>>>>>>> >>>>>>>> this >>>>>>>> >>>>>>>>> is not yet implemented. >>>>>>>>> >>>>>>>>> Are there any plans to implement some kind of whitelist feature? >>>>>>>>> More >>>>>>>>> importantly: Are there any reasons against implementing such a >>>> >>>> feature? >>>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> You could always add a whitelist for outbound requests, but you'd >>>>>>>> have >>>>>>>> to >>>>>>>> do >>>>>>>> a custom http fetcher implementation. >>>>>>>> >>>>>>>> The java version is currently returning all proxied files as >>>>>>>> attachments, >>>>>>>> which has helped significantly with reducing the potential of >>>>>>>> /gadgets/proxy >>>>>>>> as a phishing vector or free Akamai. >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> Best Regards, >>>>>>>>> >>>>>>>>> Karsten Beyer >>>>>>>>> [EMAIL PROTECTED] >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> .-. --- .--. ..- >>>>>>> R o p u >>>>>>> >>>>>>> >>>>> >>>> > >
![http://shindig/proxy?url=http://myhost.com/some/image.gif"](http://shindig/proxy?url=http://myhost.com/some/image.gif"){kind=link}
