1 message in com.googlegroups.opensocial-apiRe: [OpenSocial] Basic Security Quest...
FromSent OnAttachments
Luciano Ricardi26 Nov 2007 05:24 
Subject:Re: [OpenSocial] Basic Security Questions... please help
From:Luciano Ricardi (rica@gmail.com)
Date:11/26/2007 05:24:02 AM
List:com.googlegroups.opensocial-api

Well,

This is actually on of the main problems with Opensocial. In this article "Improved Content Fetching for OpenSocial" ( http://opensocialapis.blogspot.com/2007/11/improved-content-fetching-for.html), Graham Spencer talks about the "spoof" problem in Opensocial.

I believe that one mode is, acctually, to trust in IP Address from the Proxy Servers. This is, in sense, a poor protection, but could be an effective way to protect some applications. The container proxy acts when using the IG_FetchContent() function. So, when coming requests from the container proxys, you could trust that, at least, the user is looged on the container.

In time,

Google people, is there an IP list of the proxy servers of sandbox?

On Nov 25, 2007 2:55 PM, ZenBlender <sba@gmail.com> wrote:

Ok, so what SECURE options do I have for authenticating users on my server? Here's the scenario:

I develop the game at www.triplejack.com. This is a game I have already written a Facebook App for. With Facebook, the user is authenticated by code running locally on the server, so there is no way to tamper with the information and spoof the authentication. I basically just use the Facebook ID, once authenticated, in my database to connect a Facebook user to their user account in my database.

How can this be done with OpenSocial? If I plan to use the user's ID to make a connection between their social network account and my database, what's to prevent spoofing when all of the gadget code is XML/HTML/Javascript and easy to get and manipulate by the client?

It would seem that some kind of server-side code would be needed to make it secure. Any pointers are very much appreciated! Thanks!

-- Luciano