On Jan 29, 2008 6:14 PM, Brian Eaton <[EMAIL PROTECTED]> wrote: > On Jan 29, 2008 5:39 PM, Reinoud Elhorst <[EMAIL PROTECTED]> wrote: > > Presently, I'm at the point where pretty much everything works except > for > > the API calls back to the site; I wanted to make sure I was going in the > > right direction with regard to the exchange of the security token. > > There is very little server-side container implemented in Shindig at > the moment. I'm taking a first pass at it. Feedback on the approach > is welcome: > > - user logs in to the container > - container uses the GadgetServer to render the gadget in 'Container' > mode (which doesn't do much at the moment) > - container uses GadgetSigner (which I'm renaming to > GadgetTokenSigner) to create the security token for the gadget > - container creates an iframe that passes in the security token like > this: <iframe src='/gadgets/ifr?url=<gadget>&mid=<module-id>#st=<the > security token>
Real production sites should always render the iframe on a different domain from the parent site This is critical for security. Without it, none of the other security solutions matter. > > - GadgetServer behind /gadgets/ifr works its magic to render the gadget. > - gadgets.io javascript pulls security token out of the URL. > - gadgets.io javascripts passes security token as > X-Gadget-Security-Token in XHR requests to the JSON proxy. > > Cheers, > Brian >
