Felix Meschberger wrote:
Hi,
Am Dienstag, den 11.03.2008, 11:17 +0100 schrieb Bertrand Delacretaz:
Hi,
I'm playing with some Ajax stuff using Sling, and hitting the
cross-domain limitations. Having an optional built-in HTTP proxy in
Sling would be useful.
I could create a servlet under extensions/http-proxy, that uses the
httpproxy selector, handling requests like:
/foo.httpproxy.anyextension/www.somewhere.com/somepath?someParam=42
by returning the content of
http://www.somewhere.com/somepath?someParam=42 as is.
WDYT?
While technically certainly interesting it poses a series of problems:
* The request originates from the Sling server appearing as the client
to the server to which the request is proxied. Hence the client may
effectively hide behind Sling
* Sling may therefore be used for attacks where the root of the attack
is hidden
* We shift the cross-domain limitation from the client to the server
and burden the server with protection against dangers.
So I have some concerns about this feature.
I share the same concerns, in addition I think this is a more general
feature which *might be* of interest for any web framework using ajax.
Atm I think we should not deal with things like these unless we really
need them :)
Carsten
--
Carsten Ziegeler
[EMAIL PROTECTED]
