On Jan 29, 2008 12:03 PM, Brian Eaton <[EMAIL PROTECTED]> wrote: > Hey folks - > > When initializing a gadget it seems like the best place to put the > gadget token is in the URL fragment, i.e. > http://somegadget.com/foo.xml#t=token. What about when the token is > returned to the gadget server for authenticated requests? The
gadgets.io needs to start passing this. I also want to rename this "st" (security token) to be slightly less vague. > ProxyHandler code currently looks for the gadget token in the 't' > request parameter, but I'd like to move it to an HTTP header. URL > parameters tend to leak via the referer header, so moving the gadget > token out of the URL would be security win. +1 on using a header rather than a url parameter.
