Hi, Am Dienstag, den 11.03.2008, 11:43 +0100 schrieb Bertrand Delacretaz: > On Tue, Mar 11, 2008 at 11:34 AM, Felix Meschberger <[EMAIL PROTECTED]> wrote: > > > ... * Sling may therefore be used for attacks where the root of the attack > > is hidden > > > > * We shift the cross-domain limitation from the client to the server > > and burden the server with protection against dangers.... > > Agreed - we could use a configurable list of URL prefixes (like > www.somewhere.com/somepath) to which proxy requests are allowed, and > set a very restrictive default value that would only allow our tests > and demos to run.
Hmm, such a configuration could be an option. Limiting the defualt is certainly a very good thing. Though having default configuration for tests and demoes is problematic IMHO... > > And maybe add a header to the proxied requests that shows that Sling > was involved in it. I would certainly opt for such a thing - Many proxies use the X-Forwarded-For and Via headers for this information. I suggest that besides of course forwarding all request headers, these two headers should be added. > > I think the problem is no different than people using mod_proxy to do > that, our responsibility is IMHO limited to make people aware of the > issues, which could be done in the description of the above "proxy > requests patterns" configuration property. Agreed - and we also have to describe this for administrators to limit the functionality or to "switch it off" altogether. Regards Felix
