On 30/01/2008, Kevin Brown <[EMAIL PROTECTED]> wrote: > > Real production sites should always render the iframe on a different > domain > from the parent site This is critical for security. Without it, none of > the > other security solutions matter. >
This would be true for 3rd party gadgets - but what about the domain's own gadgets? For example, http://www.google.com/ig also hosts gadgets for Google's other applications, e.g. mail, Google reader, Google Calendar, GGE etc, etc... For the domain's own gadgets wouldn't they be server from an iframe on the same domain? This then supports SSO across the apps from the same domain? If so, does this imply there needs to be two instances of ifpc_relay.html file - one for 3rd party gadgets that is not hosted on the main domain but somewhere else, and one for the domain's own gadgets? Martin
