Redirecting this discussion to the appropriate list. If you're not subscribed to [EMAIL PROTECTED], please do so. Shindig hasn't actually implemented OAuth yet, but when we do so we will do whatever the spec requires.
On Fri, Mar 7, 2008 at 11:40 AM, Arne Roomann-Kurrik <[EMAIL PROTECTED]> wrote: > True, I suppose that if they don't bother validating the request, they > won't > bother seeing where the request comes from. > > ~Arne > > > On Fri, Mar 7, 2008 at 11:20 AM, Brian Eaton <[EMAIL PROTECTED]> wrote: > > > On Fri, Mar 7, 2008 at 10:47 AM, Arne Roomann-Kurrik <[EMAIL PROTECTED]> > > wrote: > > > Naturally, servers should always validate all signed data, but should > > > shindig take the precaution of clearing all user-supplied > opensocial_* > > > querystring values from unsigned requests? > > > > Nah, it would be pointless. What would stop an attacker from > > bypassing Shindig completely? > > > -- ~Kevin
