OpenSocial
Google just announced something called OpenSocial, which is a facebook apps-like mechanism running on an open platform of essentially embedded js and html. At least, that’s the jist I’m getting.
But where’s the security? Letting untrusted apps run js on my social network site (and that’s not just a hypothetical. 1 million actual users, more like 3 million the way facebook and myspace counts them) means giving them access to cookies (we do httponly, but that doesn’t cover all browsers by any means) and the ability to do a lot of really nasty things to our users.
Seems to me facebook didn’t do a closed platform so much for lock-in as for a desire to avoid security issues just like this. The hoops you have to go through to get any serious information on a facebook app, including several levels of user confirmation, are a serious hindrance to overt abusive use.
Either google has failed to make this useful to me, or they have failed to market it to me. Both of these possibilities seem very surprising.
