>From what I can make out, there are large security holes in OpenSocial apps that need to be fixed really quickly.
First: prefs are readable by any visitor to a user's profile page so you cannot store anything secret in there. On iGoogle this didn't matter as you couldn't see anyone else's iGoogle page, but now it really does matter. It means it's not possible to store a username/ password or even an infinite-session-key in there as anyone else can read it and use it for their own nefarious purposes Second: requests sent to external services aren't authenticated (signed) in any way. You can't sign it from JS because the only way to sign it would be to include the (orkut) user id. And that's infinitely fakeable. This means that an external service just has to trust that the data sent is legit. How to fix these? Second: the _IG_FetchContent etc, methods must sign each request to the end-point in such a way that developers can be certain that the request came from a legitimate source First: Preferences must come from a request to the server rather than passed in the clear and that request must be signed using an API key. (not signed in JS, the developer works out the signature for each pref he wants to retrieve) Overall: The XML should include some structure based on who is viewing what. And the OpenSocial server should decide which content block to send to the iframe. <content><canvas><owner> .... </owner><visitor> ... </visitor></ canvas><spotlight><owner> .... </owner><visitor> ... </visitor></ spotlight></content> Each part is optional and will fall over to the other if it's missing. The following would show the same canvas for everyone as there is no sub-tags and would show the same spotlight for everyone as there is no 'owner' tag: <content><canvas> </canvas><spotlight><visitor> ... </visitor></ spotlight></content> All this said, maybe I just missed something obvious that helps make apps secure. Cheers! Rick Measham --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OpenSocial Developers" group. To post to this group, send email to opensocial-api@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/opensocial-api?hl=en -~----------~----~----~----~------~----~------~--~---