it's a good point, but you can work on javascript security within javascript layer as well, use ajax within gadgets to control security with server-side if it's the case.
Don't forget that opensocial is a gadget interface. Best, Ramon Lima On Nov 5, 2:37 pm, EGreg <[EMAIL PROTECTED]> wrote: > In facebook, your app runs on your server, and users cannot modify it. > > On orkut, ning, and later myspace, your app consists of javascript in > a box. Simply by typing javascript:code into the address bar, you can > execute requests on its behalf. What's worse, it seems there is no way > in principle to defeat this, as long as the variables are on the > client side. A person can execute arbitrary javascript code using > firebug or some such firefox extension. And depending on the gadgets > they can probably even figure out a way to do VIRAL cross-site > scripting, like the "I have a million friends" hack on myspace. > > The one thing I would recommend right now, to achieve a moderate > degree of security is: > OBFUSCATE YOUR CODE BEFORE SUBMITTING TO GOOGLE > > Yeah, use a packer and/or obfuscator to "compile" your code to > unreadable form. A determined person can probably still unravel it > back. Software programs can be decompiled too... but the impact is > only confined to one person's computer. Here, it may be MUCH greater. > > The social networks should take care with this security. Is Google > working to fix the situation? There's gotta be a way... > > Greg Magarshak --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OpenSocial Developers" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/opensocial-api?hl=en -~----------~----~----~----~------~----~------~--~---
