9 messages in com.googlegroups.google-calendar-help-dataapiRe: Invalid feed| From | Sent On | Attachments |
|---|---|---|
| a....@folknology.com | 09 Mar 2007 04:55 | |
| Ryan Boyd (Google) | 09 Mar 2007 05:14 | |
| a....@folknology.com | 09 Mar 2007 05:47 | |
| a....@folknology.com | 09 Mar 2007 05:49 | |
| dshatto | 13 Mar 2007 23:39 | |
| Ryan Boyd (Google) | 14 Mar 2007 11:06 | |
| Ryan Boyd (Google) | 14 Mar 2007 11:45 | |
| frank | 19 Mar 2007 13:01 | |
| Ryan Boyd (Google) | 20 Mar 2007 19:35 |
| Subject: | Re: Invalid feed |
|---|---|
| From: | Ryan Boyd (Google) (api....@google.com) |
| Date: | 03/20/2007 07:35:49 PM |
| List: | com.googlegroups.google-calendar-help-dataapi |
Hello Frank,
Thanks for your question.
AFAIK, the browser should disallow access to the source of an iframe embedded as such from another domain. Thus, with the script tag (and json-in-script callback) the parent page would have access to the private event data, but the iframe implementation would not allow this access. Either way, in the cases you've pointed out, the person writing the code would need to know the magic cookie value. Because of this, there may not be a security concern here. I've filed a bug to investigate this further.
Cheers,
-Ryan
On Mar 19, 1:01 pm, "frank" <fjca...@nc.rr.com> wrote:
Maybe this is obvious and I'm not seeing it, but... What exactly is the security concern here?
Assuming you trust your own javascript and google's javascript not to inject code you don't like...
What's the difference between: <iframe src="http://www.google.com/calendar/embed?src=****&pvttk=****"/
and <script src="http://www.google.com/calendar/feeds/****/private-****/ basic?alt=json-in-script"/>
thanks,
- Frank.
On Mar 9, 9:14 am, "Ryan Boyd (Google)" <api....@google.com> wrote:
When i try to use the alt-json on one of my private calendars I get Invalid Feed Type returned ? But it works with the example url - google developer events.
doesn't work (added stars instead of actually key) :
http://www.google.com/calendar/feeds/qgtd0jfpima1chkrh1rqek7rug%40gro... number/full?alt=json
does work :
http://www.google.com/calendar/feeds/developer-calen...@go...@
Is JSON not supported on private calendar feeds?
Correct -- JSON is currently not supported on any private calendar feeds due to security concerns re cross-site-scripting. I have a bug filed to change this in the future slightly to allow JSON output when the feed is authenticated via ClientLogin or AuthSub, but this won't effect magic cookie or real (http spec) cookie authentication.
Cheers,
-Ryan- Hide quoted text -
- Show quoted text -