Hi Sanjay, I posted a somewhat-related question here: http://groups.google.com/group/opensocial-api/browse_thread/thread/82c34080cd8b57a9/ccf0e8dcb1738aeb?hl=en#ccf0e8dcb1738aeb. The link I referenced suggests at the bottom of the page that it would be option B. I presume the parameters in bold there are all signed and can be trusted. My question was more along the lines of how do you prevent OTHER parameters from being tampered with (as in your option C). I got no response but I just don't see what's to prevent your own app's parameters from being altered just before they're sent. Anything you do at the client is visible to an attacker.
DB On Mar 6, 3:51 am, Sanjay <skpate...@gmail.com> wrote: > Hi, > > A novice curosity. While a signed request is sent, which of the > parameters are signed? > > A. only viewer_id > B. only viewer_id, owner_id (what else?) > C. all the parameters, including the custom ones sent by the > application > > thanks, > Sanjay --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OpenSocial Application Development" group. To post to this group, send email to opensocial-api@googlegroups.com To unsubscribe from this group, send email to opensocial-api+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/opensocial-api?hl=en -~----------~----~----~----~------~----~------~--~---