incubator-callback-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Patrick Mueller (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (CB-1494) Supports running server behind a proxy, such as Heroku Cedar
Date Tue, 18 Sep 2012 13:44:07 GMT

    [ https://issues.apache.org/jira/browse/CB-1494?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13457819#comment-13457819
] 

Patrick Mueller commented on CB-1494:
-------------------------------------

Thinking about it, I think it's the entire XFF header value which should be considered here,
unless there are cases where that header value might change while you are in a debug session.
 Seems like that would be unusual.

Just taking the first address (original client ip) won't work if those addresses are behind
different NATs - you'll get multiple 192.168.1.2 values from two different machines.  And
taking the last doesn't work either, as that's just your last proxy - which in cases you're
trying to handle, will be the same all the time.

But I think considering the entire value will probably work, as it should uniquely identify
a client.

I'm a little worried about is the display of that value to the user on the remote panel. 
I'm happy to display it like we are today, and if it causes a problem later, we can fix it.
 Please make sure to HTML escape the string though, likely we were not doing that before.

In terms of security, I guess the case I'm wondering about is if you DON'T run behind a proxy
that adds the XFFs, then an evil client can add one himself, and the server won't know any
different.  But it's also possible to spoof ip addresses at the IP level, so, not sure there
any real loss of security here.  And the only real security in weinre is obscurity anyway
- we may need to look at this closer if we decide to add real security to weinre.

Adding a bullet to multiuser.html seems like a good place to doc this.

As for test cases, we don't have any real ones now - if you'd like to create one, even for
just this patch, that would be awesome.  I'd be happy to discuss tests in general at the mailing
list, or in a new bug - take your pick.  There are some tests in WebKit itself for Web Inspector,
and it would be interesting to see if we could reuse these.

Documentation is an easier story.  Fix whatever needs to be fixed.  Wanna totally rewrite
it, make it gorgeous?  Do it.  Open a new bug :-)

                
> Supports running server behind a proxy, such as Heroku Cedar
> ------------------------------------------------------------
>
>                 Key: CB-1494
>                 URL: https://issues.apache.org/jira/browse/CB-1494
>             Project: Apache Cordova
>          Issue Type: New Feature
>          Components: weinre
>            Reporter: Patrick Mueller
>            Assignee: Patrick Mueller
>
> created for https://github.com/apache/incubator-cordova-weinre/pull/10

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Mime
View raw message