Don't run the proxy on your internal network - it needs to have access to the internet, not your data center.
On Thu, Oct 23, 2008 at 5:32 PM, John Hjelmstad <[EMAIL PROTECTED]> wrote: > Tim: > I'll try to give a high-level summary of issues here - feel free to dive > deeper on any. > > First off, as you intuited, the open proxy is essentially a requirement for > gadget hosting, irrespective which server you use, due to the same-domain > browser security policy, enforced on virtually all current browsers. > > The proxy is limited (locked-down) in a few ways: > 1. Most importantly, the proxy only serves content from the host(s) that the > gadget renderer does, which must be domain-isolated from those serving > privileged content. eg. foo.gmodules.com rather than foo.google.com, or > foo.hi5modules.com rather than foo.hi5.com. > > 2. Content served by it is served with a Content-Disposition:attachment; > header. This helps prevent phishing attacks primarily as well as "gadget > XSS" when rendering gadgets on locked domains. > > 3. Content size is limited to 1MM bytes. > > 4. JS responses are prepended with unparseable cruft to for instance prevent > <script src> attacks. > > 5. Some installations may choose to apply additional Referer checks to proxy > requests. > > In addition to these, many sites have general-purpose systems for detecting > overuse by given referers, IP (range)s, etc. But those aren't part of > Shindig. > > Anyone on the list, please feel free to add more if I've missed anything. > > --John > > > On Thu, Oct 23, 2008 at 3:45 PM, Tim Wintle <[EMAIL PROTECTED]>wrote: > >> Hi, I've got a question regarding security issues: >> >> The proxy features obviously expose an open proxy on the server. >> The config files just say: >> >> // Note: /proxy is an open proxy. Be careful how you expose this! >> >> What does this comment mean - surely this is required for gadgets.io, so >> what can we do to lock this down? On the other hand, I don't feel >> comfortable letting an open proxy live on our servers. >> >> Am I missing something? >> >> (I've decided to use the php server for the time being) >> >> >> >> >> >> >
