>> As I just wrote out that scenario, I can see a potential security hole. >> The remote server would be get all cookies set in the container. > >That's not a potential hole. That's game over.
I agree. Writing out the scenario makes it plain. However, I don't see any problems with the gadget setting/getting cookies from its remote server. It's implicit in the spec anyway (especially if your proposal were to be accepted http://groups.google.com/group/opensocial-and-gadgets-spec/browse_thread /thread/51b016b80e9d21e6?pli=1). Why not make this easier on gadgets? BTW - should I move this discussion to the OS spec board? Here's a revised proposal: * MyGadget is running in container www.oscontainer.com * MyGadget makes a makeRequest call to "http://www.shop.com/whatever"; * The container, when processing the call, checks for an internal cache of cookies set for the gadget. If found, they're included as a "Cookie" request header. * When the container processes the response, any "Set-Cookie" response headers are added to the gadgets cache. With your idea of including HTTP response headers, this would all be possible to do manually in the gadget anyway. Jordan Zimmerman Principal Software Architect 831.647.4712 831.214.2990 (cell) [email protected] SHOP*COMTM Shop Smart, Save Big(tm) www.shop.com This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication. Thank you.
