Imagine these functions (a call and a callback): function updateAppData(myData) {
var req = opensocial.newDataRequest(); req.add(req.newUpdatePersonAppDataRequest ("VIEWER","appDataKey",myData),"appDataHook"); req.send(updateAppData_callback); }; function updateAppData_callback(response) { if (response.get("appDataHook").hadError()) { trace("updateFAIL"); } else { trace("update APP was great Succes! Party On!"); } }; Yes it is a basic application data updater, which stores some data under the "appDataKey" for my application (e.g. Highscore, last time used, favourite dish, etc.) According to my opinion it is possible to script in Firebug a call to this function (e.g. inject <a href="javascript:updateAppData('this is malicious data');">inject it</a> in the current html of the app. In this case only the Viewers AppData though (storing the string 'this is malicious data'). But it is still possible I think... (6) Is this indeed possible and are there possible solutions for securing these calls? looking forward to your reactions/opinions! --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OpenSocial Application Development" group. To post to this group, send email to opensocial-api@googlegroups.com To unsubscribe from this group, send email to opensocial-api+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/opensocial-api?hl=en -~----------~----~----~----~------~----~------~--~---