On Tue, Nov 24, 2009 at 8:51 AM, David Nesting <[email protected]> wrote:
> your only options at this point are to keep the interactions/data entirely > within Wave, or authenticate the user wholly > Actually, it occurs to me that this isn't entirely secure either. The API doesn't allow gadgets to say "store this piece of data associated with the currently logged-in user", only "store this data in this key", where the key may contain the user ID. This means I can manipulate your gadget on my end to store arbitrary state in keys "belonging" to different users. To Wave, the keys are just strings. This appears to have already been filed at http://code.google.com/p/google-wave-resources/issues/detail?id=142. If you need to ensure authenticity/integrity of data associated with a user, don't rely on Wave for that and do it yourself in a gadget that explicitly authenticates the user. David -- You received this message because you are subscribed to the Google Groups "Google Wave API" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/google-wave-api?hl=en.
