[Chandler-dev] Security in web widgets
Jeffrey Harris
jeffrey at osafoundation.org
Wed Feb 27 16:46:22 PST 2008
Hi Folks,
Today I got things working so that when users log in to a Chandler
widget hosted as a Google gadget, they can optionally save their
username/password as a Google preferences. Great! Except...
It turns out the way Google's gadget preferences actually work, they put
all preferences in the query string when calling our widget. So, if we
were to move forward with this code, Google would basically be spraying
the user's username/password in the referrer field to the logs of any
host linked to by our intrepid widget (any images, javascript, or css we
include).
This seems untenable. While our current web UI has it's security
issues, it's not nearly as bad as this.
So, I'm thinking we should back off from using Google's preferences, and
go back to storing a cookie. This works fine for Firefox, although
it'll behave oddly if two people happen to use the same browser to log
into their iGoogle account.
Unfortunately Safari users will be logged out after every reload of
iGoogle, because Safari doesn't allow iframes pointing at different
domains to access that different domain's cookies.
Safari users will at least be able to use the widget, this didn't work
at all yesterday, but I've patched things to store authentication
information in a Javascript variable in addition to the normal cookie.
Does this seem like the right path?
Sincerely,
Jeffrey
More information about the chandler-dev
mailing list