from: http://wiki.opensocial.org/index.php?title=Validating_Signed_Requests
It mentions the signed request should send query.opensocial_appid and some others. Orkut does not send them. What blocks me from spoofing an app with another app? I can send a sendGift request (using the other example in OpenSocial docs) to that app backend servers with my app fakeGift, and the sendGift backend will have no clue. Is that assumption correct? thank you, Gabriel --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Orkut Developer Forum" group. To post to this group, send email to opensocial-orkut@googlegroups.com To unsubscribe from this group, send email to opensocial-orkut+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/opensocial-orkut?hl=en -~----------~----~----~----~------~----~------~--~---