On 21 Nov 2012, at 20:39, Minh Tien Hoang wrote: > Dear all, > > Currently, the widget instance id is used as url parameter is vulnerable to > eavesdropping, event the line is SSL enabled. Some one can listen on the > line, and capture this id then hijack the widget instance. To avoid that, we > simply put it in hash part of URL to make sure that it always stays at the > browser side, not travel on the line. > Another thing, should we keep also the proxy url in widget instance url or > just inject it as a parameter in widget object when initiating? It would > shorten the url. > How do you think ?
Hi Tien, I definitely agree its time to rethink the widget instance id, for the reasons you've identified. Previously I proposed[1] adopting the same model as Shindig, which is to encrypt the set of parameters that identify the context of the widget and its data, and pass this as a token. I've done some work on this to test the concepts, and I think its viable, but it would result in a lot of backwards-incompatible changes, so is something we perhaps could introduce in a major revision branch (1.0?) I'll create an issue for this in Jira and attach the code I wrote to try it out with so you can see what it involves. (On the shortening issue... yes I think we can drop the proxy url as a parameter and just add it to the metadata) S [1] http://mail-archives.apache.org/mod_mbox/incubator-wookie-dev/201206.mbox/%[email protected]%3e > > Tien. >
