Part of a 2.9.x mega-merge r121337

Yea, it's possible the lists aren't needed.

I'd probably put read and connection timeouts on the connection though. I think that the defaults are unlimited?

Also, how many possible exceptions are thrown in the catch (Exception e) {

It seems like we could log the exception messages, if not the entire stack trace. Could be useful to know if there's problems going on in here. Also would be useful to me for which urls were bad? I don't think it would get that chatty if it was just a single failure line for every check in an info message?

The two lists are easy enough. I am happy for others to contribute - but if need be I will write this.

I think it was also suggested that we have a white and black list setup to skip many of these checks in the first place, probably should make these properties?

whitelist (domains that can always be framed) would just initially be the localhost domain (always hardcoded to be included). A school may include other local domains or ones they know are good
blacklist (domains that can never be framed) - Google, Facebook . . . probably other big ones.

OK - I now checked in some JavaScript code that roughly does the following. Set an 8-second timer and when the timer expires, check to see if we can still peek inside the iframe and see the location of the url in the window. If the load has started, we cannot see inside the iframe any more - this is good. If the load failed somehow, we can see inside the iframe and we assume a problem and show an alert box with an "open in new window" link. We do have to check to see if we can see into the iframe because it is coming from the Sakai host.