[opensocial] Re: Security Problems

2007-11-10 Thread Daniel C. Silverstein (cubes)

Standard disclaimer, IANAG (I Am Not A Googler):

As I understand it, user preferences are an iGoogleism, and,  
generally speaking, will not be supported in most OpenSocial  
containers.  I've heard  reports that they work in Orkut, but, unless  
we here otherwise from the powers that be, you shouldn't depend on them.

Of course, at the moment, data storage support in most containers is  
pretty, well, uh, FAIL.  Plaxo *MAY* have a working data storage  
implementation, but it would be great if someone could verify this.

(Dan)

On Nov 3, 2007, at 6:12 PM, RickMeasham wrote:


 Appending an application URL with `up_whatever=value` will make the
 value accessible using the preferences module. This is a handy thing
 as you can give a URL out that passes something to the iframe like
 `up_show=overview`
 or
 `up_show=detailup_item=12`

 However, it must be noted that anything specified like this will
 OVERRIDE the real user preferences.

 I can't see any exploit that this will allow, but do not blindly trust
 anything at all until there is some way of getting the information
 signed

 Cheers!
 Rick Measham


 


--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups 
OpenSocial Developers group.
To post to this group, send email to opensocial-api@googlegroups.com
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at 
http://groups.google.com/group/opensocial-api?hl=en
-~--~~~~--~~--~--~---



[opensocial] Re: Security Problems

2007-11-03 Thread RickMeasham

Appending an application URL with `up_whatever=value` will make the
value accessible using the preferences module. This is a handy thing
as you can give a URL out that passes something to the iframe like
`up_show=overview`
or
`up_show=detailup_item=12`

However, it must be noted that anything specified like this will
OVERRIDE the real user preferences.

I can't see any exploit that this will allow, but do not blindly trust
anything at all until there is some way of getting the information
signed

Cheers!
Rick Measham


--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups 
OpenSocial Developers group.
To post to this group, send email to opensocial-api@googlegroups.com
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at 
http://groups.google.com/group/opensocial-api?hl=en
-~--~~~~--~~--~--~---