I guess I'll use the robot events instead of an AJAX call. There does not seem to be a reliable method to secure it. HC
On Nov 12, 11:14 am, hcvst <[email protected]> wrote: > Hi, > > my gadget issues an AJAX call to remotely update some data when its > state changes. The AJAX endpoint is the same server that hosts the > gadget.xml (Appengine). Currently, anyone looking at the gadget's > source can see the endpoint > and call it themselves with some query parameters to effectively > submit any data they like. > > The question is how to prevent this. It's only a matter of time until > wave gadget hacking becomes a new pasttime. > > 1* Inspect the HTTP header on the server to check whether call > originates from Google? > > >> Does not really solve the problem although makes it perhaps a little > >> harder for the attacker. Malicious gadget's could be embedded. What about > >> HTTP header spoofing (I don't know) and once federation kicks in the > >> gadget would only work on Google's wave browser. No, not a solution. > > 2* OAuth? I keep reading about OAuth in this forum and started to read > the docs again. Is that the way to go? I haven't read much yet, but > tokens would have to stored somewhere in the gadget, wouldn't they? > > Is there perhaps on obvious third approach - after all gadget.xml and > endpoint are on the same server... > > Anyway, love wave, it's so much fun to use and even more so to > program. > > Thanks, > HC -- You received this message because you are subscribed to the Google Groups "Google Wave API" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/google-wave-api?hl=.
