Here is canvas source for my test app:

<script type="text/javascript">
function init() {
 var dr = opensocial.newDataRequest();
 var params = {};
 var personReq = dr.newFetchPersonRequest(opensocial.DataRequest.PersonId.VIEWER);
 dr.add(personReq,'viewer');
 dr.send(personDataCallback);
}

function personDataCallback(data) {
 var code = data.get('viewer').getErrorCode();
 if (code) {
  alert(code);
  return;
 }
 var currentUser = data.get('viewer').getData();
 var currentUserId = currentUser.getField('id');
 alert("currentUserId = " + currentUserId);
}
gadgets.util.registerOnLoadHandler(init());
</script>

When I visit the canvas page without having the application install on firefox I correctly get the popup:

"unauthorized"

However, when I visit the canvas page without having the application install on IE7 I incorrectly get the popup:

"currentUserId = 380717257"

This app is here.

http://profile.myspace.com/Modules/Applications/Pages/Canvas.aspx?appId=108935

As a side note not only can I get user info for uninstalled users but I can get their friends and use postTo on their behalf. (Seems like a big security hole)

thanks,

Jesse

 Ping? Anyone else having this problem? Anyone from myspace?

 J

Hi Jesse, I just tested this in IE 7 and IE 64-bit (as well as Firefox) - I get unauthorized across all browsers.

Is it possibly dragging up a cached version of your code? 

 I have not specifically run this test yet, but IE is notorious for pulling information from cache that it should be refreshing from across the network, even XHR requests.  We have seen XHR caching issues in other contexts with IE and are currently discussing how best to address this, perhaps thru a timestamp cache breaker parameter for IE.