The issue here is that security tokens are passed via the iframe URL. This means that the token can leak out in referer URLs. To prevent leakage one can use a very short-lived token which is exchanged for a longer lived token when an RPC or makeRequest is used. It also allows for renewing tokens periodically during use, avoiding expired tokens that cause apps to break.
2010/11/14 Da Wei Wang <[email protected]> > > Hi, Shindig Team, > > For Shindig.auth feature, it allows to update security token on client > side with shindig.auth.updateSecurityToken() . This function is used in two > places, auth-refresh and core.io . It maybe used in gadget app code. > > I am not clear about why Shindig designs this way, when to use it. Would > someone point out in which scenario, each gadget in the page should have > its own security token. > > Thanks. > > Best regards, > Da Wei Wang(王大炜) > Email: [email protected] Tel: 86-10-82452636 -- Paul Lindner -- [email protected] -- linkedin.com/in/plindner
