Hi All, I am in fact newbie to Google gadget development and planning to develop a gadget that requires user to login. In this regards, I have some security issues in the implementation.
1. I understand google gadget comes in two types: a) content type = html & b) content type =url. For gadget that requires login, it is recommended to use version b) <i.e. content type=url> according to the doc. While it is true that I can specify a secured https link for gadget content with type url, is there anyway for gadget user to access/add the gadget specification (i.e. the gadget xml file) using https as well? If not, it seems that I can only ensure the data being input is interacting with a trusted source but not the gadget specification (i.e. the gadget xml file). In particular, I am afraid case B described below will happen. Scenario as follows:- A) Web Client --> Gadget Spec (xml file) - [content type= url: https://trusted site] -> Trusted Site B) Web Client --> Phishing Gadget Spec (evil xml file) -> Stealing Sensitive Information -> redirect back to the trusted site 2. For normal https site, user can see the certificate information and the "lock" logo from the browser, is there a way for gadget to show this information to user as well to ensure user is browsing a trusted site? 3. Is there any other security issues that I need to pay attention if I want to develop a secure gadget? Thanks a lot in advance. Best Regards, kaiphone --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "iGoogle Developer Forum" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/Google-Gadgets-API?hl=en -~----------~----~----~----~------~----~------~--~---
