On Wed, Dec 3, 2008 at 3:05 PM, Paul Lindner <[EMAIL PROTECTED]> wrote:
> A couple of things you can do: > > 1) Use the forcedLibs feature and configure the URL template so it ends up > on a CDN. You can do this by adding something like this to the iframe URL: > libs=flash:opensocial-0.8 Be careful when forcing features that you never force 0.7 if you claims support for 0.8. Forcing 0.8 is always OK (0.7 overrides), but forcing 0.7 causes conflicts with the 0.8 code. > 2) I discussed the security implications of putting the parentUrl in the > hash a long time ago with Brian Eaton. At that time we had determined that > it wasn't a significant exposure risk. The risk is that an attacker could > craft a URL with a parent parameter pointing at another host. This would > then make that iframe pass data using rpc/ifpc to a non-legitimate host, > where sensitive data could be compromised. If the parent param is on the > URL the gadget server can reject non-compliant requests. With parent on the > hash that's not possible. > > We determined that we were not sending sensitive data across these > channels, so we decided to put the parent param in the hash. > > Your setup may be different, so beware. > > > > On Dec 3, 2008, at 8:05 AM, Youri op 't Roodt wrote: > > Hi, >> >> We're trying to get the parsed XML cached at browser level, but the >> 'parent' >> parameter makes this impossible on Hyves because the subdomain is >> different >> per user/context. >> >> In the thread "Serializing parsed content and caching GadgetHtmlParsers", >> I >> think Paul Lindner suggested to move the parent parameter to the hashdata >> instead. >> >> Is there any reason NOT to do this? >> >> Thanks, >> >> Youri op 't Roodt >> Hyves >> >> > Paul Lindner > [EMAIL PROTECTED] > > > >
