On Tue, Jan 29, 2008 at 12:03:57PM -0800, Brian Eaton wrote: > Hey folks - > > When initializing a gadget it seems like the best place to put the > gadget token is in the URL fragment, i.e. > http://somegadget.com/foo.xml#t=token. What about when the token is > returned to the gadget server for authenticated requests? The > ProxyHandler code currently looks for the gadget token in the 't' > request parameter, but I'd like to move it to an HTTP header. URL > parameters tend to leak via the referer header, so moving the gadget > token out of the URL would be security win.
My gadgets.js has this.
@@ -499,7 +500,7 @@
return this.serverBase_ + 'ifr?url=' +
encodeURIComponent(this.specUrl) + '&synd=' + this.SYND +
'&mid=' +
this.id + '&parent=' + encodeURIComponent(gadgets.container.parentUrl_) +
- '&ogc=' + document.location.host + this.getUserPrefsParams();
+ '&ogc=' + document.location.host + this.getUserPrefsParams() + '#' +
this.hashState;
};
gadgets.IfrGadget.prototype.getUserPrefsParams = function() {
When you add a gadget you specify:
var gadget = gadgets.container.createGadget({specUrl: specUrl0,
hashState: 'xxxxxxx'});
I'll try and bundle up my changes for general consumption..
--
Paul Lindner
hi5 Architect
[EMAIL PROTECTED]
pgpnt04kmOqOy.pgp
Description: PGP signature
