(...)"until the OAuth be implemented"(...) What I've said is that some implementations, more simple, could be made until OAuth be implemented.... We don't know when the OAuth will be part of the OpenSocial... there is no information about date releases here:
http://groups.google.com/group/opensocial/web/whats-up-with-opensocial On Dec 5, 2007 12:07 PM, Paul Lindner <[EMAIL PROTECTED]> wrote: > Please read this: > > > http://opensocialapis.blogspot.com/2007/11/improved-content-fetching-for.html > > On Wed, Dec 05, 2007 at 11:01:47AM -0300, Luciano Ricardi wrote: > > I really think that some few changes on the working method of > > _IG_FetchContent() could bring some great security gains on OpenSocial > until > > the OAuth be implemented. > > > > Let's take the Orkut Sandbox for an example: > > > > 1 - We received the calls from Sandbox Proxies just from 3 proxies... > > 66.249.84.15 > > 72.14.195.49 > > 74.125.16.6 > > > > Well, so we can implement security procedures on our codes that prevent > to > > deliver content to anauthorised IPs. This is a good enhancement in > security, > > but we need some way to get this IP's List. We got this IP's from the > access > > logs of the web server... > > > > 2 - The request that comes from the proxies is like this: > > > > "GET > > > /gadgets/view_content.php?id_orkut=02772430860366983940&.cache=3239336552 > > HTTP/1.1" > > > > The id_orkut is the parameter that we put on our gadget code. The > ".cache" > > is appended by the proxy server. Well, why not to append the real id of > the > > gadget viewer? This could grant that the caller of _IG_FetchContent is > the > > viewer of the gadget. > > > > So.... this is what I suggest for enhance the security of OpenSocial > until > > OAuth be implemented: > > > > 1 - Some method to bring the IPs from the Proxy of the OpenSocial > > containers. > > 2 - Append the Id of the Viewer (or other informations) in the GET > > parameters" > > > > []s > > > > Luciano R. > > > > On Dec 4, 2007 9:37 PM, nate <[EMAIL PROTECTED]> wrote: > > > > > > > > This may or may not be obvious, but I would like to make a request > > > regarding the data that will get signed into _IG_Fretch_Content() > > > requests originating from OpenSocial containers. > > > > > > I think the primary thing that Service Provider apps will want to > > > validate is the viewer/owner relationship. To that end, it would be > > > really handy to make every _IG_Fretch_Content() request contain a > > > signed: > > > * gadget owner ID > > > * gadget viewer ID > > > * owner/viewer relationship (i.e. "friends" or "public") with > > > respect to the container > > > > > > If this info can be made non-spoofable, Service Providers can reliably > > > apply privacy settings, not to mention allow the gadget owner to set > > > privacy settings from within the container. > > > > > > Thanks for your consideration, and all your hard work. > > > > > > - nate > > > > > > > > > > > > > > > > -- > Paul Lindner > hi5 Architect > [EMAIL PROTECTED] > -- Luciano --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OpenSocial API Definition" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/opensocial-api?hl=en -~----------~----~----~----~------~----~------~--~---
