True, I suppose that if they don't bother validating the request, they won't bother seeing where the request comes from.
~Arne On Fri, Mar 7, 2008 at 11:20 AM, Brian Eaton <[EMAIL PROTECTED]> wrote: > On Fri, Mar 7, 2008 at 10:47 AM, Arne Roomann-Kurrik <[EMAIL PROTECTED]> > wrote: > > Naturally, servers should always validate all signed data, but should > > shindig take the precaution of clearing all user-supplied opensocial_* > > querystring values from unsigned requests? > > Nah, it would be pointless. What would stop an attacker from > bypassing Shindig completely? >
