The SDK currently expects that polling URLs returned from 'create prediction' endpoints will be of a certain form. If a vendor breaks this assumption, any app that uses that endpoint will need to upgrade the SDK.
This can be addressed with the newly added override header: aiproxy-base-url
But then that can open a security complication, if someone found a way to inject a polling response URL that belonged to a different domain altogether they could send themselves the developer's decoded key.
So we'll need to launch this with allowlists that belong to a service on the backend, and check the allowlist in the proxy handler before fulfilling the request.
The SDK currently expects that polling URLs returned from 'create prediction' endpoints will be of a certain form. If a vendor breaks this assumption, any app that uses that endpoint will need to upgrade the SDK.
This can be addressed with the newly added override header:
aiproxy-base-urlBut then that can open a security complication, if someone found a way to inject a polling response URL that belonged to a different domain altogether they could send themselves the developer's decoded key.
So we'll need to launch this with allowlists that belong to a service on the backend, and check the allowlist in the proxy handler before fulfilling the request.