Even robots are vulnerable to spoofed events. A robot is just an HTTP resource running in appengine. The wave server sends an HTTP request to the robot, and the robot returns the wave operations it wants to perform in the HTTP response. There's no way currently for the robot to be certain that the Wave server is legitimate. (How do you define "legitimate" anyway, since in the future, there may be hundreds of Wave servers out there all trying to use services provided by your robot?)
If you're not storing state, and not creating side effects from these events, you shouldn't care that the requester is unauthenticated, but if you are, this remains a problem and we need a way to authenticate (and, in the multiple Wave server case, set up namespaces for) these events. http://code.google.com/p/google-wave-resources/issues/detail?id=344 David On Thu, Nov 12, 2009 at 11:03 PM, hcvst <[email protected]> wrote: > I guess I'll use the robot events instead of an AJAX call. There does > not seem to be a reliable method to secure it. > HC > > On Nov 12, 11:14 am, hcvst <[email protected]> wrote: > > Hi, > > > > my gadget issues an AJAX call to remotely update some data when its > > state changes. The AJAX endpoint is the same server that hosts the > > gadget.xml (Appengine). Currently, anyone looking at the gadget's > > source can see the endpoint > > and call it themselves with some query parameters to effectively > > submit any data they like. > > > > The question is how to prevent this. It's only a matter of time until > > wave gadget hacking becomes a new pasttime. > > > > 1* Inspect the HTTP header on the server to check whether call > > originates from Google? > > > > >> Does not really solve the problem although makes it perhaps a little > harder for the attacker. Malicious gadget's could be embedded. What about > HTTP header spoofing (I don't know) and once federation kicks in the gadget > would only work on Google's wave browser. No, not a solution. > > > > 2* OAuth? I keep reading about OAuth in this forum and started to read > > the docs again. Is that the way to go? I haven't read much yet, but > > tokens would have to stored somewhere in the gadget, wouldn't they? > > > > Is there perhaps on obvious third approach - after all gadget.xml and > > endpoint are on the same server... > > > > Anyway, love wave, it's so much fun to use and even more so to > > program. > > > > Thanks, > > HC > > -- > > You received this message because you are subscribed to the Google Groups > "Google Wave API" group. > To post to this group, send email to [email protected]. > To unsubscribe from this group, send email to > [email protected]<google-wave-api%[email protected]> > . > For more options, visit this group at > http://groups.google.com/group/google-wave-api?hl=. > > > -- You received this message because you are subscribed to the Google Groups "Google Wave API" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/google-wave-api?hl=.
