On Thu, Feb 26, 2009 at 2:44 PM, Jordan Zimmerman <jord...@shop.com> wrote: > As I just wrote out that scenario, I can see a potential security hole. > The remote server would be get all cookies set in the container.
That's not a potential hole. That's game over. > But, > then, this hole exists anyway as the gadget could get all cookies using > plain JS and send it in the makeRequest as a POST or whatever. No, it can't. Production opensocial containers run gadgets on cookie isolation domains for just this reason. For security purposes type=html gadgets are nothing but web applications that happen to be passed through a proxy. They don't get to mess with the container except in limited ways.
