Hi, my gadget issues an AJAX call to remotely update some data when its state changes. The AJAX endpoint is the same server that hosts the gadget.xml (Appengine). Currently, anyone looking at the gadget's source can see the endpoint and call it themselves with some query parameters to effectively submit any data they like.
The question is how to prevent this. It's only a matter of time until wave gadget hacking becomes a new pasttime. 1* Inspect the HTTP header on the server to check whether call originates from Google? >> Does not really solve the problem although makes it perhaps a little harder >> for the attacker. Malicious gadget's could be embedded. What about HTTP >> header spoofing (I don't know) and once federation kicks in the gadget would >> only work on Google's wave browser. No, not a solution. 2* OAuth? I keep reading about OAuth in this forum and started to read the docs again. Is that the way to go? I haven't read much yet, but tokens would have to stored somewhere in the gadget, wouldn't they? Is there perhaps on obvious third approach - after all gadget.xml and endpoint are on the same server... Anyway, love wave, it's so much fun to use and even more so to program. Thanks, HC -- You received this message because you are subscribed to the Google Groups "Google Wave API" group. To post to this group, send email to google-wave-...@googlegroups.com. To unsubscribe from this group, send email to google-wave-api+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/google-wave-api?hl=.
