Hi guys, We just recently got a test instance up at publictest10 and I have started working on accessing resources as an authenticated user. There is a large issue here however since the browser's security model rightfully prevents us from doing requests such as this. There are several ways around this security all with their own pitfalls. The first one which I use is to have a proxy page which make the calls on the server which is not subject to the security concerns. The issue with this is it can't be authenticated and involves shipping data through an extra server. The second way is to use JSONP callback script injection. This one involves the json call returning data as a javascript callback which is then script injected into the page and eval'ed. This is extremely insecure as it allows the server to send back any javascript which is executed on the user's browser. I've tested this by sending an alert back from bohdi's 'list' call and it can display any data available to the browser. Another way which I am not sure is possible would be to do URL rewriting to make it look like all of our resources are coming from the same domain, e.g. http://myfedora.fedoraproject.org/bodhi would be rewritten to point to a bodhi instance. Though this might work if they were running under the same apache instance, I am pretty sure it would fall down if they were running on different servers. The last way, which I discussed with the Fas guys sometime back would be the ability to forward credentials from a proxy. This would require Fas support that I am pretty sure is not there yet. I'm not even sure how it would be implemented. In any case, there is the issue that needs to be solved. Any input would be great. -- John (J5) Palmieri <johnp@xxxxxxxxxx> _______________________________________________ Fedora-infrastructure-list mailing list Fedora-infrastructure-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
