On Apr 15, 9:58 am, kaiphone <[email protected]> wrote: > While it is true that I can specify a secured https link for > gadget content with type url, is there anyway for gadget user to > access/add the gadget specification (i.e. the gadget xml file) using > https as well?
You'd need to host your own gadget container on HTTPS, and ensure that all resources were delivered via SSL. There's no way to make iGoogle load the XML over SSL, nor to ensure that a given user accesses iGoogle itself on HTTPS. > 2. For normal https site, user can see the certificate information > and the "lock" logo from the browser, is there a way for gadget to > show this information to user as well to ensure user is browsing a > trusted site? There's no way within the gadget API, but it is possible... You'd need to generate such information using a server-side language (such as PHP), and include it in the iframe content. While theoretically you could do something similar using JS and the window.location property, there'd be no way to make sure that wasn't spoofed by a MITM. > 3. Is there any other security issues that I need to pay attention if > I want to develop a secure gadget? Generally, gadgets are just miniature web apps, so you need to be aware of all the usual attack vectors: script injection/XSS, CSRF, clickjacking, and so on. However, let me say that iGoogle is overall not a very secure environment. It's just not architected with high security in mind; you've identified a few of the issues above, but I'm sure there are more, and I'm no security expert, and neither is anyone else who frequents this forum. If you're developing a gadget around highly sensitive data, you're asking for trouble. String --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "iGoogle Developer Forum" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/Google-Gadgets-API?hl=en -~----------~----~----~----~------~----~------~--~---
