Simon Willison's Weblog: opensocial

Yahoo, Caja, OpenSocial

2008-10-30T17:14:22+00:00

Yahoo!’s new application platform uses OpenSocial, and protects itself from malicious JavaScript using Google’s Caja secure JavaScript engine. I hadn’t realised that Caja was ready for production use—this is excellent news.

Tags: caja, javascript, opensocial, security, yahoo

Frame-Busting Gadgets

2008-09-17T23:23:38+00:00

Frame-Busting Gadgets

I’ve always been slightly suspicious of the Google Gadgets / OpenSocial idea of sandboxing untrusted third party content in an iframe. Sure enough, it turns out iframe busting scripts work in Gadgets, meaning a seemingly harmless gadget could potentially launch a phishing attack.

Tags: framebusting, gadgets, javascript, opensocial, phishing, security

An OpenSocial Foundation

2008-03-25T14:51:31+00:00

An OpenSocial Foundation

“Today we are pleased to announce that Google is joining together with Yahoo! and MySpace in the creation of a non-profit foundation for the open and transparent governance of the OpenSocial specifications and intellectual property.” Good move; I’d personally love to see this happen with Google Gears.

Tags: google, google-gears, myspace, opensocial, yahoo

Figuring out OpenSocial

2007-11-02T10:29:25+00:00

So it's out, and lots of people are talking about it, but I'm still trying to work out exactly what it is. There seem to be two parts to it: a standardised set of GData APIs for accessing lists of friends and their activities (like the Facebook news feed) and a bunch of JavaScript APIs for enabling developers to write hostable widgets and "container sites" to embed those widgets.

Unfortunately the official documentation confuses things horribly by referring to Google Gadgets in various places. From that my guess is that the embedding part consists of externally hosted code running in an iframe, along with the clever fragment hack to mediate controlled communication between the container site and the embedded widget (and bypass the same-domain restriction). Not sure how that would defend against a malicious widget that uses frame-busting to send the user to a completely new page though - Facebook rewrite and sanitise all of the CSS and JavaScript that they serve, but I seriously doubt Google's open source container API pack will include that level of sophistication.

My other question at the moment is how much OpenSocial relates to the larger goal of an open social network, where import and export APIs allow people to easily move from network to network and still find their friends. I don't see anything in the GData People API that explicitly addresses the need to correlate the same user's account across multiple sites (it looks like it doesn't include an e-mail address for example) which seems to me to be pretty essential.

Am I getting this right, or have I missed something important? I'd love to hear from people who have been properly briefed on all of this.

Tags: apis, google, identity, opensocial, portablesocialnetworks

Quoting Google's unreleased OpenSocial Press Release

2007-10-31T18:39:48+00:00

"The web is fundamentally better when it's social, and we're only just starting to see what's possible when you bring social information into different contexts on the web," said XXXX.

— Google's unreleased OpenSocial Press Release

Tags: funny, google, opensocial, pr

Marc Andreesen on Open Social

2007-10-31T16:58:24+00:00

Marc Andreesen on Open Social

Marc describes it as an open standard for implementing Facebook style “containers” that other applications can live in. My initial assumption that it was an implementation of the Social Graph paper ideas was incorrect.

Tags: google, marcandreesen, opensocial, social-graph

Google Announces the OpenSocial API

2007-10-31T16:34:58+00:00

Google Announces the OpenSocial API

I doubt the similarity between this and Brad Fitzpatrick’s social graph paper are a coincidence—what IS impressive is that he only joined Google a couple of months ago.

Tags: apis, brad-fitzpatrick, google, opensocial, social-graph