On Nov 30, 2007, at 5:08 AM, Reinoud Elhorst wrote:
> Firstly, opensocial gadgets at this moment are only content type
> html, as far as I understand it. This way, this API is only defined
> at the javascript level, and everything else is left to
> implementation by individual containers.
>
Gotcha. That's a bit unfortunate. As far as I can tell, it would
imply that an application that wanted to communicate with a backing
store (other than the SPI-provided persistence API) would need to
proxy web requests ("validate this is a legal scrabble move") via the
container, or would need to resort to JSONP-style stuff.
Or am I missing something obvious?
> I believe that is the right way to go for the 1.0 version of
> OpenSocial: it allows for quick deployment of containers on sites
> that are totally different internally. I can definitely imagine
> that a future version of OpenSocial will allow for the url-type,
> and perhaps define the gadget-container interaction on a different
> level.
>
Even so, I'm a bit puzzled as to how sandboxing works.
To avoid the obvious cross-domain scripting attacks, you'd want to
make sure that the social gadget was loaded via an IFRAME, and that
IFRAME was hosted on a different domain (the "gadget host") than your
containing page's content (the "container host").
I guess in that case, my "gadget host" provides the SPI. I play with
domains suffixes and cookies in such a way that the gadget content
can use the container's cookie to glean information about the
identity of the "viewer", but still can't reach out of the IFRAME.
The SPI turns into web requests back to the gadget host, which
presumably can access all of my social network's information.
Am I understanding this correctly?
> There are some talks of dropping the iframe-security and replacing
> it by Caja (in the futute, on some containers). I wouldn't be too
> sure on how this would interact with the content-type=url either.
>
Yes, this makes sense, but it seems like this is a performance
optimization.
But I'm still a bit stumped as to, say, how Scrabulous will get
implemented as an HTML content-type. (I mean, I can see how they'd
just resort to egregious hackery to do so, but...it seems like a lot
of gadgets will want to interact with some other service that's
hosted somewhere else.)
Anyway, thanks for your response!
chris
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Implementing OpenSocial Containers" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/opensocial-container?hl=en
-~----------~----~----~----~------~----~------~--~---
