On Fri, Mar 7, 2008 at 10:47 AM, Arne Roomann-Kurrik <[EMAIL PROTECTED]> wrote: > Naturally, servers should always validate all signed data, but should > shindig take the precaution of clearing all user-supplied opensocial_* > querystring values from unsigned requests?
Nah, it would be pointless. What would stop an attacker from bypassing Shindig completely?
