Imagine these functions (a call and a callback):
function updateAppData(myData) {
var req = opensocial.newDataRequest();
req.add(req.newUpdatePersonAppDataRequest
("VIEWER","appDataKey",myData),"appDataHook");
req.send(updateAppData_callback);
};
function updateAppData_callback(response) {
if (response.get("appDataHook").hadError()) {
trace("updateFAIL");
} else {
trace("update APP was great Succes! Party On!");
}
};
Yes it is a basic application data updater, which stores some data
under the "appDataKey" for my application (e.g. Highscore, last time
used, favourite dish, etc.)
According to my opinion it is possible to script in Firebug a call to
this function (e.g. inject <a href="javascript:updateAppData('this is
malicious data');">inject it</a> in the current html of the app. In
this case only the Viewers AppData though (storing the string 'this is
malicious data'). But it is still possible I think... (6)
Is this indeed possible and are there possible solutions for securing
these calls?
looking forward to your reactions/opinions!
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"OpenSocial Application Development" group.
To post to this group, send email to opensocial-api@googlegroups.com
To unsubscribe from this group, send email to
opensocial-api+unsubscr...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/opensocial-api?hl=en
-~----------~----~----~----~------~----~------~--~---
