How not to do web services
Google’s being bit over how some of their web services work. It seems as long as you’re logged into your Gmail account, any web site can use a script tag to access your personal information (in this case, your address book). This is, to put it mildly, not good. It’s one thing to be able to use a script tag to access anonymous information, like a map. It’s entirely different when you can use it to access personal information without the consent of that user.
This is one of the problems with providing JSONP web services via HTTP GET when you rely on using cookies for credentials. You have to be very careful to ensure that other domains can’t use the browser cookie jar to their own benefit. If you’re going to rely on cookies for credentials, you need to add a second mechanism to prevent the script tag attacks. Some additional parameter that needs to change in some non-predictable manner that prevents 3rd party sites from raiding your user data.
Anyway, Google has a couple of smart people so I’m sure they’ll do something about this. They can’t have other websites raiding their user’s information like this.
