More On Medium Trust and Trackbacks

0 comments suggest edit

In my last post, one of the restrictions listed when running in medium trust is that HTTP access is only allowed to the same domain. It is possible in web.config to add a single domain via the originUrl attribute of the <trust> element as described by Cathal.

To add more than one domain requires editing machine.config or creating a custom trust policy which will not be accessible to many users in a hosted environment. This may pose a big problem for those who care about trackbacks since even if you could modify machine.config, there is no way to predetermine every domain you will trackback.

One solution is to beg your hosting environment to relax the WebPermission in medium trust. If trackbacks and pingbacks are important to you, you shouldn’t be above begging. ;)

Another is for someone to create a passthrough trackback system in a fully trusted environment. Essentially this would act on behalf of the medium trusted trackback creator and forward a trackback to the final destination. It would require blogging engines affected by medium trust to trust this single domain. Of course the potential for abuse is high and the rewards are low (unless people out there absolutely love trackbacks).

Found a typo or error? Suggest an edit! If accepted, your contribution is listed automatically here.



3 responses

  1. Avatar for Steve Harman
    Steve Harman July 9th, 2006
    Of course the potential for abuse is high and the rewards are low...

    Agreed! I see such proxies quickly becoming a sort of Open Relay system not unlike those used by email spammers.
    Perhaps a slightly less open solution is to have the hosting providers make a track/ping-back service available to their hosted applications. Then they could restrict access to the service to only allow thier clients to use the proxies.

  2. Avatar for Haacked
    Haacked July 9th, 2006

    A much better idea!

  3. Avatar for you've been HAACKED
    you've been HAACKED October 17th, 2006

    Why Oh Why Couldn't WebPermission Be Part Of Medium Trust?