Note that certain parameters such as the viewer ID, owner ID, and application ID cannot be tampered through the JS debugger method, as the container inserts these parameters itself. So you can always verify which user is performing the actions reliably, even if you can't trust their input to be valid.
~Arne On Mar 5, 7:41 pm, dburns <drrnb...@gmail.com> wrote: > Hi all, > > I was reading about authentication > here:http://wiki.opensocial.org/index.php?title=Introduction_To_Signed_Req.... > > I understand that the server that receives the request can detect > tampering during transit. No problem there. But what's to stop a > user with a JavaScript debugger or similar tool from altering data at > the source? > > Consider a simple example, where the application contains this > JavaScript, which is supposed to set the high score of a game for the > current user. > > function setHighScore(url, score) { > var params = {score}; > params[gadgets.io.RequestParameters.AUTHORIZATION] = > gadgets.io.AuthorizationType.SIGNED; > gadgets.io.makeRequest(url, response, params); > > }; > > What's to stop someone with a debugger to stop on the first line and > change 'score' from the real value to 1,000,000 or whatever he/she > chooses? > > Thanks, > DB --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OpenSocial Application Development" group. To post to this group, send email to opensocial-api@googlegroups.com To unsubscribe from this group, send email to opensocial-api+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/opensocial-api?hl=en -~----------~----~----~----~------~----~------~--~---
