Hi,
Am Dienstag, den 11.03.2008, 11:17 +0100 schrieb Bertrand Delacretaz:
> Hi,
>
> I'm playing with some Ajax stuff using Sling, and hitting the
> cross-domain limitations. Having an optional built-in HTTP proxy in
> Sling would be useful.
>
> I could create a servlet under extensions/http-proxy, that uses the
> httpproxy selector, handling requests like:
>
> /foo.httpproxy.anyextension/www.somewhere.com/somepath?someParam=42
>
> by returning the content of
> http://www.somewhere.com/somepath?someParam=42 as is.
>
> WDYT?
While technically certainly interesting it poses a series of problems:
* The request originates from the Sling server appearing as the client
to the server to which the request is proxied. Hence the client may
effectively hide behind Sling
* Sling may therefore be used for attacks where the root of the attack
is hidden
* We shift the cross-domain limitation from the client to the server
and burden the server with protection against dangers.
So I have some concerns about this feature.
Just my €0.02
Regards
Felix
