Hi Sanjay, This is a great question. Technically, the entire request url and post body are signed. You can verify that any parameters in the request are exactly what was passed to the container via the makeRequest call, or added by the container itself. However, you cannot verify whether the user was tampering with values that were passed to the makeRequest call, since the user will have full control over the JavaScript running on their machine.
To use DB's example, say you want to post a "score" parameter in a makeRequest call - the container will accept this parameter and sign it, but since the container has no idea of what the correct value of "score" should be (since this is determined by your application) it will accept all values as valid. Essentially, you are trusting the user to send you correct values for any inputs passed to the makeRequest call. There are some values which the user cannot fake, however, because they are inserted by the container. These values are: opensocial_owner_id opensocial_app_url Optionally, the container may add the following: opensocial_viewer_id opensocial_instance_id opensocial_app_id xoauth_public_key You can trust any of these values in a valid signed request. For more information, check out http://wiki.opensocial.org/index.php?title=Introduction_To_Signed_Requests which has a description of each property. Hope this helps, ~Arne http://wiki.opensocial.org/index.php?title=Introduction_To_Signed_Requests On Mar 6, 1:51 am, Sanjay <skpate...@gmail.com> wrote: > Hi, > > A novice curosity. While a signed request is sent, which of the > parameters are signed? > > A. only viewer_id > B. only viewer_id, owner_id (what else?) > C. all the parameters, including the custom ones sent by the > application > > thanks, > Sanjay --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OpenSocial Application Development" group. To post to this group, send email to opensocial-api@googlegroups.com To unsubscribe from this group, send email to opensocial-api+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/opensocial-api?hl=en -~----------~----~----~----~------~----~------~--~---