A couple of things you can do:
1) Use the forcedLibs feature and configure the URL template so it
ends up on a CDN. You can do this by adding something like this to
the iframe URL:
libs=flash:opensocial-0.8
2) I discussed the security implications of putting the parentUrl in
the hash a long time ago with Brian Eaton. At that time we had
determined that it wasn't a significant exposure risk. The risk is
that an attacker could craft a URL with a parent parameter pointing at
another host. This would then make that iframe pass data using rpc/
ifpc to a non-legitimate host, where sensitive data could be
compromised. If the parent param is on the URL the gadget server can
reject non-compliant requests. With parent on the hash that's not
possible.
We determined that we were not sending sensitive data across these
channels, so we decided to put the parent param in the hash.
Your setup may be different, so beware.
On Dec 3, 2008, at 8:05 AM, Youri op 't Roodt wrote:
Hi,
We're trying to get the parsed XML cached at browser level, but the
'parent'
parameter makes this impossible on Hyves because the subdomain is
different
per user/context.
In the thread "Serializing parsed content and caching
GadgetHtmlParsers", I
think Paul Lindner suggested to move the parent parameter to the
hashdata
instead.
Is there any reason NOT to do this?
Thanks,
Youri op 't Roodt
Hyves
Paul Lindner
[EMAIL PROTECTED]
