Re: thoughts on OAuth and URL-based social gadgets - Chris Waterson - com.googlegroups.opensocial-container

4 messages in com.googlegroups.opensocial-containerRe: thoughts on OAuth and URL-based s...

From	Sent On	Attachments
Chris Waterson	30 Nov 2007 16:37
Reinoud Elhorst	04 Dec 2007 03:43
Chris Waterson	04 Dec 2007 09:37
Reinoud Elhorst	04 Dec 2007 10:46

Subject:	Re: thoughts on OAuth and URL-based social gadgets
From:	Chris Waterson (wate...@gmail.com)
Date:	12/04/2007 09:37:40 AM
List:	com.googlegroups.opensocial-container

On Dec 4, 3:44 am, "Reinoud Elhorst" <goo...@claude.nl> wrote:

3) You haven't made a case why you need url contenttype. If you need pages rendered on some server, just retrieve them using ajax and display them

Network topology.

The social network I'm building has some gadgets I want to host behind a firewall. Someone who is behind the firewall can access the gadget; someone who isn't, can't. For example, I'd like to allow a gadget that can access some resource that a corporation wants to guard. (Corporate calendar, email system, whatever.)

I realize there are ways to hack around this (like creating a public proxy server that can reach behind the firewall, or using "JSONP" <script> tag fetches from the UA to defeat cross-domain restrictions), but those have security consequences. Namely, let's say we consider the gadget to be "trusted", but the container to be "untrusted". Since the gadget is trusted, we assume that it won't attempt to compromise security and leak information. Since the container is not trusted, we cannot make the same assumption.

Anyway, I'm just trying to get a sense of what folks are thinking in this direction: I realize I'm going to have to invent my own solution for a while. I just want that solution to be in the same general vicinity as the finalized OpenSocial. :)

thanks! chris