On Mar 30, 2010, at 12:34 AM, Harm wrote:
I'm trying to build a secure iGoogle gadget. People need to sent
sensitive data to my server (typically username/pass).
I so far figured out that the way to do that is create a gadget with
<Content type="url" href="https://bla.com/test.html";></Content> as
this is the only way to load SSL resources.
The initial page will show a login dialog. After the user is logged in
I want to set a hidden UserPref so I know that particular gadget is
authenticated.
I just trust the Google login, instead of asking the user to log in
twice. You'll have to judge whether Google provides enough security
around their login practice to satisfy your needs.
The basic process is:
1- Use <Content type="html"> instead.
2- Make a signed (OAuth) makeRequest call to your server to retrieve a
session ID.
http://wiki.opensocial.org/index.php?title=Gadgets.io_%28v0.9%29#gadgets.io.makeRequest
3- Use that session ID to create an iframe on the page that calls your
webpage using that session ID. Note that using the SSL connection in
this arrangement or your current one will throw security alerts in
some browsers, due to your page being SSL while the host iGoogle page
is not.
Alternatively, if you don't need or want to use your webserver to
deliver HTML directly to the browser, you can continue to make signed
makeRequest calls to gather the data you need for your Javascript
gadget to create and render the required HTML in place. This would
avoid the SSL security alert, I believe.
I don't know if makeRequest is equipped to make calls to an SSL
resource, or whether it is needed since no plaintext password is being
sent.
--
Ben Curtis : webwright
bivia : a personal web studio
http://www.bivia.com/
v/f : 818 507 6613
i.m.: BiviaBen
--
You received this message because you are subscribed to the Google Groups "iGoogle
Developer Forum" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/Google-Gadgets-API?hl=en.
