makeRequest

Re: Protecting your URLs that return data

Michael — Thu, 02 Jul 2009 05:51:57 GMT

cool, this may be useful to me also, because i dont want people storing and deleting data from my database directly from the site that accesses it, but i need to know how it works so i can impement it =D thanks a lot

Re: Protecting your URLs that return data

Chak — Sun, 31 May 2009 15:47:53 GMT

Hi Thomas:

You need to use signed makerequest() calls to address this issue which will pass a signature your server.

You also need to modify your server code to verify the signature passed in to ensure they match (i.e. this will validate that the request originated from Myspace - assuming the consumer secret has not been compromised).

Please add the following line to the JS code above to make signed requests:

params[gadgets.io.RequestParameters.AUTHORIZATION] = gadgets.io.AuthorizationType.SIGNED;

Chak

Protecting your URLs that return data

Thomas — Fri, 29 May 2009 22:10:48 GMT

When requesting data from our webserver using the opensocial API call makeRequest, we can either post or get data using the code below

function getFriendList() {
var url = 'http://apps.yo.com/widgets/send_item/opensocial/profile_summary?user_id=' + gViewer.getId();
var params = {};
params[gadgets.io.RequestParameters.METHOD] = gadgets.io.MethodType.GET;
gadgets.io.makeRequest(url, getFriendListCallback, params);
}

As we can see, looking at the source of our page anyone can use the url to create they're own apps.

I can use $referrer = $_SERVER['HTTP_REFERER']; in PHP to know the request is coming from MySpace and so block any requests from other domains.

But what is there to stop another MySpace Dev from creating an application that uses my webserver?