Ah, I see - you're talking about the case where a malicious user forges a signed request by passing (false) signed parameters in an unsigned request?
I don't believe that the spec makes any claim about what should be done in the case that opensocial_ownerid is passed as an unsigned parameter. This is a good question, and you should probably propose it as an amendment in this forum: http://groups.google.com/group/opensocial-and-gadgets-spec/topics Obviously, third party sites should be validating opensocial_ownerid, etc against the container's public certificate (or shared secret) in all cases. Thanks, ~Arne On Fri, Mar 7, 2008 at 10:11 AM, Chak Nanga <[EMAIL PROTECTED]> wrote: > > Hi Arne, > > Thanks for the quick reply. > > I'm mainly thinking from a container implementers' point of view - > mainly in terms of security. > > Assuming that if I'm implementing a container/proxy, what should the > proxy do when it sees opensocial_* params for an UNSIGNED > makeRequest() call? Should it just pass them along to the 3rd party > site? > > It's pretty clear in the case of SIGNED requests that the proxy is > supposed to strip out the opensocial_* and oauth_* params. > > Thanks > Chak > > > On Mar 7, 9:59 am, "Arne Roomann-Kurrik" <[EMAIL PROTECTED]> > wrote: > > Hi Chak, > > > > In response to question 1 - you can always just get this information > > yourself and pass it as POST or GET data in the unsigned makeRequest > call. > > However, why not just make a signed request? > > > > For question 2, the OpenSocial spec doesn't define any additional > > information that's passed for unsigned calls. I suppose containers > could > > choose to pass additional data automatically, but this could be > problematic > > if developers expect their servers to be accessed in a very specific > way. > > > > ~Arne > > > > On Fri, Mar 7, 2008 at 9:35 AM, Chak Nanga <[EMAIL PROTECTED]> wrote: > > > > > Hi, > > > > > When I use a "normal" i.e. unsigned makeRequest() to my server to > > > fetch content, I do not see any owner/viwer/app id info coming in as > > > query params. > > > > > However, I do see that info getting passed to my server when using > > > SIGNED requests. > > > > > Questions: > > > 1. Is there a way to determine owner/viewer id when using unsigned > > > requests? > > > 2. Is there a spec which clearly states what additional info. gets > > > passed in for unsigned makeRequest() calls? I'm looking for something > > > like this: > http://groups.google.com/group/opensocial/web/content-fetching > > > > > Thanks > > > Chak > > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OpenSocial Application Development" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/opensocial-api?hl=en -~----------~----~----~----~------~----~------~--~---
