On orkut, ning, and later myspace, your app consists of javascript in
a box. Simply by typing javascript:code into the address bar, you can
execute requests on its behalf. What's worse, it seems there is no way
in principle to defeat this, as long as the variables are on the
client side. A person can execute arbitrary javascript code using
firebug or some such firefox extension. And depending on the gadgets
they can probably even figure out a way to do VIRAL cross-site
scripting, like the "I have a million friends" hack on myspace.
The one thing I would recommend right now, to achieve a moderate
degree of security is:
OBFUSCATE YOUR CODE BEFORE SUBMITTING TO GOOGLE
Yeah, use a packer and/or obfuscator to "compile" your code to
unreadable form. A determined person can probably still unravel it
back. Software programs can be decompiled too... but the impact is
only confined to one person's computer. Here, it may be MUCH greater.
The social networks should take care with this security. Is Google
working to fix the situation? There's gotta be a way...
Greg Magarshak
Mat
Greg
Don't forget that opensocial is a gadget interface.
Best,
Ramon Lima
In response to twentyafterfour's comment - this limitation doesn't
expose a security flaw in the JS API itself - you can only write to
VIEWER data, so there is no chance of malicious users corrupting other
users' data through use of the JS API. The problem lies in that we
haven't exposed our third party security mechanism yet, so developers
are resorting to poor security practices to pass unvalidated data back
to their server. For this reason, you should not be interacting with
a production service at this stage in development.
We understand the great demand for this functionality and it is a huge
priority for us. We want to get it right, though, so please bear with
us.
Thanks,
~Arne
Just what I wanted to hear :) Any idea on a timeframe for the Data API and
JS authentication, days/weeks/months, it would help us focus our develop
efforts greatly.
Thanks,