On Dec 3, 2008, at 3:34 PM, Kevin Brown wrote:
On Wed, Dec 3, 2008 at 3:05 PM, Paul Lindner <[EMAIL PROTECTED]> wrote:
A couple of things you can do:
1) Use the forcedLibs feature and configure the URL template so it
ends up
on a CDN. You can do this by adding something like this to the
iframe URL:
libs=flash:opensocial-0.8
Be careful when forcing features that you never force 0.7 if you
claims
support for 0.8. Forcing 0.8 is always OK (0.7 overrides), but
forcing 0.7
causes conflicts with the 0.8 code.
That's correct, you want to use the version number corresponding to
opensocial-current/feature.xml. Then the stubs used for older
versions are correctly injected into the iframe.
2) I discussed the security implications of putting the parentUrl
in the
hash a long time ago with Brian Eaton. At that time we had
determined that
it wasn't a significant exposure risk. The risk is that an
attacker could
craft a URL with a parent parameter pointing at another host. This
would
then make that iframe pass data using rpc/ifpc to a non-legitimate
host,
where sensitive data could be compromised. If the parent param is
on the
URL the gadget server can reject non-compliant requests. With
parent on the
hash that's not possible.
We determined that we were not sending sensitive data across these
channels, so we decided to put the parent param in the hash.
Your setup may be different, so beware.
On Dec 3, 2008, at 8:05 AM, Youri op 't Roodt wrote:
Hi,
We're trying to get the parsed XML cached at browser level, but the
'parent'
parameter makes this impossible on Hyves because the subdomain is
different
per user/context.
In the thread "Serializing parsed content and caching
GadgetHtmlParsers",
I
think Paul Lindner suggested to move the parent parameter to the
hashdata
instead.
Is there any reason NOT to do this?
Thanks,
Youri op 't Roodt
Hyves
Paul Lindner
[EMAIL PROTECTED]
Paul Lindner
[EMAIL PROTECTED]
