Thank you very much for your reply. As a follow up, may I ask if you know any Google resources about setting up gadget container server? Appreciate a lot for your information =)
kaiphone On Apr 21, 3:26 pm, String <[email protected]> wrote: > On Apr 15, 9:58 am, kaiphone <[email protected]> wrote: > > > While it is true that I can specify a secured https link for > > gadget content with type url, is there anyway for gadget user to > > access/add the gadget specification (i.e. the gadget xml file) using > > https as well? > > You'd need to host your own gadget container on HTTPS, and ensure that > all resources were delivered via SSL. There's no way to make iGoogle > load the XML over SSL, nor to ensure that a given user accesses > iGoogle itself on HTTPS. > > > 2. For normal https site, user can see the certificate information > > and the "lock" logo from the browser, is there a way for gadget to > > show this information to user as well to ensure user is browsing a > > trusted site? > > There's no way within the gadget API, but it is possible... You'd need > to generate such information using a server-side language (such as > PHP), and include it in the iframe content. While theoretically you > could do something similar using JS and the window.location property, > there'd be no way to make sure that wasn't spoofed by a MITM. > > > 3. Is there any othersecurityissues that I need to pay attention if > > I want to develop a secure gadget? > > Generally, gadgets are just miniature web apps, so you need to be > aware of all the usual attack vectors: script injection/XSS, CSRF, > clickjacking, and so on. > > However, let me say that iGoogle is overall not a very secure > environment. It's just not architected with highsecurityin mind; > you've identified a few of the issues above, but I'm sure there are > more, and I'm nosecurityexpert, and neither is anyone else who > frequents this forum. If you're developing a gadget around highly > sensitive data, you're asking for trouble. > > String --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "iGoogle Developer Forum" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/Google-Gadgets-API?hl=en -~----------~----~----~----~------~----~------~--~---
