MyFedora cross domain authentication issues

[John (J5) Palmieri]

Hi guys,

We just recently got a test instance up at publictest10 and I have
started working on accessing resources as an authenticated user.  There
is a large issue here however since the browser's security model
rightfully prevents us from doing requests such as this.  There are
several ways around this security all with their own pitfalls.

The first one which I use is to have a proxy page which make the calls
on the server which is not subject to the security concerns.  The issue
with this is it can't be authenticated and involves shipping data
through an extra server.

The second way is to use JSONP callback script injection.  This one
involves the json call returning data as a javascript callback which is
then script injected into the page and eval'ed.  This is extremely
insecure as it allows the server to send back any javascript which is
executed on the user's browser.  I've tested this by sending an alert
back from bohdi's 'list' call and it can display any data available to
the browser.

Another way which I am not sure is possible would be to do URL rewriting
to make it look like all of our resources are coming from the same
domain, e.g. http://myfedora.fedoraproject.org/bodhi would be rewritten
to point to a bodhi instance.  Though this might work if they were
running under the same apache instance, I am pretty sure it would fall
down if they were running on different servers.

The last way, which I discussed with the Fas guys sometime back would be
the ability to forward credentials from a proxy.  This would require Fas
support that I am pretty sure is not there yet.  I'm not even sure how
it would be implemented.

In any case, there is the issue that needs to be solved.  Any input
would be great.

-- 
John (J5) Palmieri <johnp at redhat.com>