FYI: We've discovered that this patch breaks rpc.js -- I'm surprised it hadn't been identified earlier. The problem is in the following section.
Modified: > incubator/shindig/trunk/features/src/main/javascript/features/rpc/rpc.js > URL: > http://svn.apache.org/viewvc/incubator/shindig/trunk/features/src/main/javascript/features/rpc/rpc.js?rev=760649&r1=760648&r2=760649&view=diff > > ============================================================================== ...stuff... > + // Validate auth token. > + if (authToken[rpc.f]) { > + *// We allow type coercion here because all the url params are > strings.* > + if (authToken[rpc.f] !=*=* rpc.t) { > + throw new Error("Invalid auth token."); > + } > + } Type coercion is explicitly allowed in this case. Many clients do: gadgets.rpc.setAuthToken('id', someRandomNumber); ...particularly in server IFRAME rendering code, out of convenience. Further, this method (process(...)) is a duplicate of another in the same file. I'll submit a fix shortly. --John
