[OpenSocial] Re: XSS Solution without Gadgets?

[Chris Chabot]

Hey Andi,

I'm not entirely sure what exactly you're trying to do and what exact error
you are running into, could you possibly please provide us with a bit more
info and/or code snippets of what you are doing? :)

Are you manually including shindig's javascript code from your gadget, or
what javascript code is coming from where?

How you would normally use your own JS libraries is by doing something as
simple as:

<Module>
.... lots of stuff ...
<Content type="html" view="profile"><![CDATA[
<script src="http://my.server.com/js/myLibrary.js";></script>
<script>
function foo() {
  myLibrary_bar();
}
</script>
.. other html, css and js stuff..
</Content>
</Module>

No magic required, and this wont cause any errors either. All the other
javascript (opensocial.*, gadget.*, etc) will be injected by shindig, and
there's no need to manually add that at all.

Now if your trying to make an Ajax call to your data back-end, you would get
hit by the browsers cross domain, and that's what gadgets.io.makeRequest()
is for, it will proxy the ajax call to shindig, which will relay that call
to whatever url you specified in your makeRequest call, since the gadget and
shindig are on the same domain, this gets passed through without any
problems.

Lastly, all the OpenSocial (&gadget.*) javascript code is already provided
for you, no need to write any your own, so if you've implemented shindig,
I'm not sure why you say you are "implementing the javascript code to talk
to the backend".

Take partuza for example (open source, you can find the code on
code.google.com/p/partuza), it includes the server side rpc.js?c=1 in the
containing page (see html source of http://www.partuza.nl/), and implements
the rpc calls (see http://www.partuza.nl/js/container.js), and creates an
iframe that points to shindig (in this case, it runs on modules.partuza.nl).
All the javascript code that is required to make the OpenSocial API's work
is injected by shindig (see frame source of the gadget in
http://www.partuza.nl/profile/application/1/2/14020, make sure to right
click inside the gadget area and select "view frame source"), and that
functionality is build into shindig, no need to custom code anything your
self.

Anyhow, I hope this shot-gun approach of answering mentioned to hit your
question too, and if not, please let us know & give us a bit more detail
about what you're trying to do :)

   -- Chris

On Wed, Jun 24, 2009 at 1:40 PM, Andi <andreas.schuet...@navteq.com> wrote:

>
> Hi all,
>
> i'm trying to understand since a few hours all that system. We did a
> Shindig implementation and now
> i need to implement a javascript part talking to the backend .-)
>
> the example stated in the docs like here for newDataRequest (
> http://wiki.opensocial.org/index.php?title=Opensocial_(v0.8)<http://wiki.opensocial.org/index.php?title=Opensocial_%28v0.8%29>)
>  works
> flawless if i load my jscode from the same server where the shindig
> implementation is running on, but i need to move my widget to another
> server and i think you already guess...
> this will lead to well known: uncaught exception: Access to restricted
> URI denied (NS_ERROR_DOM_BAD_URI)
> my js code comes from Server A and needs to the shindig impl on server
> B.
>
> I've read about the different relay mechanisms but i'm currently
> really in trouble understanding them? As mentioned i'm not
> implementing a real gadget, i'm simply using the opensocial api
> directly.
>
> So is there a already prepared way to have DataRequest.send workaround
> that problem? A hint to a good documentation for that would be very
> helpful
>
> many thanks for your help.
> Andi
> >
>

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups 
"OpenSocial Application Development" group.
To post to this group, send email to opensocial-api@googlegroups.com
To unsubscribe from this group, send email to 
opensocial-api+unsubscr...@googlegroups.com
For more options, visit this group at 
http://groups.google.com/group/opensocial-api?hl=en
-~----------~----~----~----~------~----~------~--~---