Provide optional "Locked Domains" configuration to provide unique origins for
each widget instance
--------------------------------------------------------------------------------------------------
Key: WOOKIE-310
URL: https://issues.apache.org/jira/browse/WOOKIE-310
Project: Wookie
Issue Type: New Feature
Reporter: Scott Wilson
A useful feature in Shindig is Locked Domains, which uses subdomains to ensure
each gadget has a unique origin, preventing a range of potential security
problems.
For Wookie, this would be very useful to have, as it would then allow us to
selectively relax the proxy restrictions to support WOOKIE-251 without creating
security issues. For example, if locked domains is enabled, the proxy could
support full headers being sent and returned, as there is no potential leakage
of the headers across widget instances as each has a different origin.
To implement this would only require a small amount of code to check for
"widget.server.lockedDomainsRequired=true" in widgetserver.properties and then
prepend the widget URL returned with a UUID generated from the widget instance
idkey. To configure this in use, the server admin would need to set up a
wildcard subdomain prefix in their vhost config.
For the proxy, a check could be made against the same property - if set to
true, send and return all headers including Authorization; if set to false,
filter out the headers as we do currently.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
