Hello Frank, Thanks for your question.
AFAIK, the browser should disallow access to the source of an iframe embedded as such from another domain. Thus, with the script tag (and json-in-script callback) the parent page would have access to the private event data, but the iframe implementation would not allow this access. Either way, in the cases you've pointed out, the person writing the code would need to know the magic cookie value. Because of this, there may not be a security concern here. I've filed a bug to investigate this further. Cheers, -Ryan On Mar 19, 1:01 pm, "frank" <[EMAIL PROTECTED]> wrote: > Maybe this is obvious and I'm not seeing it, but... What exactly is > the security concern here? > > Assuming you trust your own javascript and google's javascript not to > inject code you don't like... > > What's the difference between: > <iframe src="http://www.google.com/calendar/embed?src=****&pvttk=****"/ > > and > <script src="http://www.google.com/calendar/feeds/****/private-****/ > basic?alt=json-in-script"/> > > thanks, > > - Frank. > > On Mar 9, 9:14 am, "Ryan Boyd (Google)" <[EMAIL PROTECTED]> wrote: > > > On 3/9/07, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: > > > > When i try to use the alt-json on one of my private calendars I get > > > Invalid Feed Type returned ? > > > But it works with the example url - google developer events. > > > > doesn't work (added stars instead of actually key) : > > > >http://www.google.com/calendar/feeds/qgtd0jfpima1chkrh1rqek7rug%40gro... > > > number/full?alt=json > > > > does work : > > > > http://www.google.com/calendar/feeds/[EMAIL > > > PROTECTED]/public/full?alt=json > > > > Is JSON not supported on private calendar feeds? > > > Correct -- JSON is currently not supported on any private calendar feeds due > > to security concerns re cross-site-scripting. I have a bug filed to change > > this in the future slightly to allow JSON output when the feed is > > authenticated via ClientLogin or AuthSub, but this won't effect magic cookie > > or real (http spec) cookie authentication. > > > Cheers, > > > -Ryan- Hide quoted text - > > > - Show quoted text - --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Google Calendar Data API" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/google-calendar-help-dataapi?hl=en -~----------~----~----~----~------~----~------~--~---
