I partially understand the same origin policy, but not all of its consequences. If all gadgets are rendered from the same ifr 'service', they share the same origin. Does that mean that every gadget can walk the dom of every other gadget in the same page? At least, they could share the cookies, but I don't know how relevant is that, given that makeRequest drops the cookies (does it?).
The other thing is the rpc_relay.html. I know it is sometimes used for cross site communication between iframes, but I still don't know about the consequences. The documentation states that rpc_relay.html must not be in the same domain as (I don't remember - was it shindig - the site?) Creating one domain per gadget, while possible, forces the host to also control a dns sub-tree. Is this something done somewhere? How does caja fit into this picture? I again apologize for my ignorance, any pointer or documentation, will be greatly appreciated. thanks a lot On Tue, Aug 17, 2010 at 9:46 AM, Christiaan Hees <[email protected]> wrote: > You probably even want each gadget iframe to be rendered on a different sub > domain or else they'll be able to influence eachother through the dom. > Anyway, I ended up doing the metadata call on the serverside and passing > only the result to the client js which seems to work fine. > > On Tue, Aug 17, 2010 at 1:17 PM, Bastian Hofmann > <[email protected]>wrote: > > > If shindig and your container are on the same domain all gadgets have > > full access to your container javascript, can manipulate the dom of > > your page and access your user's cookies. > > > > See http://en.wikipedia.org/wiki/Same_origin_policy > > > > 2010/8/17 Pablo Graña <[email protected]>: > > > I apologize for my ignorance, but I can't figure out why is it a > security > > > risk. > > > > > > On Tue, Aug 17, 2010 at 7:16 AM, Tim Wintle <[email protected] > > >wrote: > > > > > >> On Wed, 2010-08-11 at 13:01 -0400, Gregg Horan wrote: > > >> > I've been successful using apache in front and doing rewrites on / > > >> > gadgets, /social, etc. > > >> > > >> I may be misunderstanding, but you don't really want to be hosting > your > > >> site on the same (domain, port) as shindig for security reasons. > > >> > > >> > > >> > > > > > > > > > -- > > > Pablo Gra\~na > > > Chief Architect > > > Globant > > > Arg Office: +54 (11) 4109 1743 > > > UK Office: +44 (20) 7043 8269 int 8043 > > > US Office: +1 (212) 400 7686 int 8043 > > > > > > -- Pablo Gra\~na Chief Architect Globant Arg Office: +54 (11) 4109 1743 UK Office: +44 (20) 7043 8269 int 8043 US Office: +1 (212) 400 7686 int 8043
