Non-public applications don't work.

[GoogleCodeExporter]

Steps to Reproduce:

- Create an application and remove 'public' from readers.
- Visit your app - http://nonpub.pageforest.com

Results:

403: Access denied. Missing Referer header. Please sign in and try again.

Expected:

Redirect (302) to http://www.pageforest.com/sign-in/nonpub - so the user can 
sign in to the application.

Notes:

There is also an error in the sign-in page for non-public apps.  If you go to:

http://www.pageforest.com/sign-in/nonpub

and click Allow Access, no cookie is set on the nonpub.pageforest.com domain (I 
think because all requests w/o a pre-set cookie are failing - even the 
/auth/set-session/... request is returning a 403 and not setting the cookie.

Original issue reported on code.google.com by mckoss@gmail.com on 2 Jul 2010 at 8:26

[GoogleCodeExporter]

This issue was updated by revision 7753ca59c4.

The redirect is now implemented. I was able to reproduce the missing cookie
when clicking "Allow Access", indeed because set-session returns 403.

Original comment by jcrocholl on 3 Jul 2010 at 5:53

• Changed state: Started

[GoogleCodeExporter]

This issue was updated by revision e7f15f76b4.

The cross-domain JSONP request for set-session is now allowed, but
the referer check still fails because it is empty or untrusted.
Click here to reproduce this problem: http://nonpub.pageforest.com/

Original comment by jcrocholl on 3 Jul 2010 at 6:17

[GoogleCodeExporter]

This issue was closed by revision bb4cdfa63d.

Original comment by jcrocholl on 11 Aug 2010 at 10:18

• Changed state: Fixed

[GoogleCodeExporter]

Original comment by mckoss@gmail.com on 4 Nov 2010 at 11:49