Hello Fernando! Yes, it´s possible to spoof request, but you can prevent it using signed request, that´s why it exists.
Basically, your message is ciphered, and using oauth and a public key you can decipher the post. Check this out, for sure will help you a lot: http://wiki.opensocial.org/index.php?title=Validating_Signed_Requests <http://wiki.opensocial.org/index.php?title=Validating_Signed_Requests>Also here: http://wiki.opensocial.org/index.php?title=Introduction_To_Signed_Requests <http://wiki.opensocial.org/index.php?title=Introduction_To_Signed_Requests>Let me know if you have any doubt. Robson Dantas 2010/4/5 Fernando <nandotor...@gmail.com> > Dears, > > > I'm starting to opensocial development and my first project is a orkut > based widget. I'm still in learning and project phase and in this > moment my question is about send request from the widget to my host > (for processing with mysql and others server side issues). > > I read about OAuth and Signed authentication with samples using PHP > ands sounds good. My question is: > > Once is possible to see the request maked to my server (with all > parameters sends via POST), can user spoof the request sending the > same data with bogus keys-value pairs and make damage in my > application? > > How the best way to prevent spoofs, if it can be done? I'm think about > to check http_referer but malicious applications in orkut sandbox > could mislead the verification request. > > How do you make sure that a request actually came from your widget? > > Thanks! > > -- > You received this message because you are subscribed to the Google Groups > "OpenSocial Application Development" group. > To post to this group, send email to opensocial-...@googlegroups.com. > To unsubscribe from this group, send email to > opensocial-api+unsubscr...@googlegroups.com<opensocial-api%2bunsubscr...@googlegroups.com> > . > For more options, visit this group at > http://groups.google.com/group/opensocial-api?hl=en. > > -- You received this message because you are subscribed to the Google Groups "OpenSocial Application Development" group. To post to this group, send email to opensocial-...@googlegroups.com. To unsubscribe from this group, send email to opensocial-api+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/opensocial-api?hl=en.