I really think that some few changes on the working method of _IG_FetchContent() could bring some great security gains on OpenSocial until the OAuth be implemented.
Let's take the Orkut Sandbox for an example: 1 - We received the calls from Sandbox Proxies just from 3 proxies... 66.249.84.15 72.14.195.49 74.125.16.6 Well, so we can implement security procedures on our codes that prevent to deliver content to anauthorised IPs. This is a good enhancement in security, but we need some way to get this IP's List. We got this IP's from the access logs of the web server... 2 - The request that comes from the proxies is like this: "GET /gadgets/view_content.php?id_orkut=02772430860366983940&.cache=3239336552 HTTP/1.1" The id_orkut is the parameter that we put on our gadget code. The ".cache" is appended by the proxy server. Well, why not to append the real id of the gadget viewer? This could grant that the caller of _IG_FetchContent is the viewer of the gadget. So.... this is what I suggest for enhance the security of OpenSocial until OAuth be implemented: 1 - Some method to bring the IPs from the Proxy of the OpenSocial containers. 2 - Append the Id of the Viewer (or other informations) in the GET parameters" []s Luciano R. On Dec 4, 2007 9:37 PM, nate <[EMAIL PROTECTED]> wrote: > > This may or may not be obvious, but I would like to make a request > regarding the data that will get signed into _IG_Fretch_Content() > requests originating from OpenSocial containers. > > I think the primary thing that Service Provider apps will want to > validate is the viewer/owner relationship. To that end, it would be > really handy to make every _IG_Fretch_Content() request contain a > signed: > * gadget owner ID > * gadget viewer ID > * owner/viewer relationship (i.e. "friends" or "public") with > respect to the container > > If this info can be made non-spoofable, Service Providers can reliably > apply privacy settings, not to mention allow the gadget owner to set > privacy settings from within the container. > > Thanks for your consideration, and all your hard work. > > - nate > > > > -- Luciano --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OpenSocial API Definition" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/opensocial-api?hl=en -~----------~----~----~----~------~----~------~--~---
