Unfortunately automatic redirects are not allowed on YAP. The redirect event must be user initiated with a link or other click event. Using yml:a or a standard a tag would probably be the best method in this instance.

Jonathan LeBlanc
Senior Software Engineer
Yahoo! Developer Network

Hi Jonathan,

Thanks for the reply on this. Are there any plans to allow redirects? (Even if it becomes policy to only allow redirects to other pages on YAP?)

Are you able to tell us the reasoning for this policy?

Not being able to redirect removes a lot of functionality that we've come to rely on in other containers (Facebook, MySpace, Orkut, etc.). They all allow redirects, which allows us to take a player to the high score page after they finish a game.

We also use redirects for a few other things, like removing tracking information from URL's to make them prettier for the user, and so tracking information isn't counted multiple times if they bookmark, etc.

But, the most important thing for us, is obviously to be able to take the user to the high score page when the game ends, with a redirect in Flash. (We have about 700 games created by independent game developers, using our API... which handles score submission, and then redirects to a high score page to show the score list.)

Thanks!
-Richard

As far as I am aware, there are no plans to allow redirects within the foreseeable future. The security policy is mainly there to prevent malicious developers from forwarding users on to content that may be a phishing site, be malicious in some way, or something completely different than what the user accepted when adding the application.

There is an alternative that you may be able to employ automatically. Instead of making a call to redirect the user to another page, you can employ the OpenSocial gadgets.io.makeRequest method to make an AJAX request to capture the data on the page to are trying to redirect to. When the AJAX request returns, it will forward the user to a user defined function. This function can then take the data returned and replace the content of the existing page with the returned content using innerHTML. Just so that you're aware though, the data returned through the AJAX request and injected through innerHTML will run through the caja runtime sanitizer. This means that javascript and most likely style blocks will get stripped. We have alternatives for this as well if you run into issues.

That should give you the functionality that you're looking for without having to redirect the user.

I hope that helps.

- Jon

Jon,
I understand and appreciate your concerns for security, but what's the prevent a malicious developer from putting a link that says "See High Scores" which directs to a phishing site? Or, what's to prevent a malicious developer from asking the user for personal information or credentials in the application itself?

The other point is: most other platforms have been allowing apps in an iframe for a while. Facebook, for example, holds a lot of personal information, and they allow apps to run in an iframe without anything like Caja. How come they can do it securely and Yahoo can't? I understand the need for Caja on profile boxes, because the page might contain personal information. But on the Canvas page, it's a major restriction that breaks most apps, and also breaks the OpenSocial promise of write once run everywhere.

Hi Wal,

I definitely understand your concerns and frustrations with these items and I just want to make it known that we will offer as much support as we may to get applications running on YAP. We have numerous methods of obtaining similar results for elements that are restricted, so if you have anything specific please let us know. I will try to address the issues you have brought up with as much detail as I can provide:

Lack of automatic redirect with regards to security
We know that we can't stop all phishing / hack attempts by malicious developers (such as the ones you've pointed out), but restricting redirects to user initiated click events helps in innumerable ways to try to protect our users. Many users, when given the choice to enter personal data or not, will be more critical of what they are filling out and the source they are coming from. I understand this restricts developers in some ways, but our goal is to protect the users in any way we can. The method I posted in one of my comments above for mimicking redirects should work fine for this instance. We also have sever side methods and several code samples to obtain the same results. As long as we can provide developers with an alternative method to accomplish the same task we feel the added level of security will be beneficial for all concerned. With that said, should we find an adequate way of providing this functionality to developers we will. The platform is still undergoing numerous upgrade releases, so additional functionality will be unlocked as the releases are pushed.

Lack of iframe (or yml:iframe)
It was the decision of the security teams here at Yahoo! that iframes presented too many security vulnerabilities. We want to prevent our user base from being exposed to malicious scripts and attacks. Caja met the security requirements that we had for the platform by essentially providing a sanitized DOM structure within a node container. There is great information on what caja does here: http://code.google.com/p/google-caja/. One of the iframe security issues is "drive-by downloads" in IE (and basically iframes are only secure as IE iframe support). Essentially, this allows malicious developers to install malware onto a user's computer without them having knowledge or control of it. I won't go into exhaustive detail right here, but here are a few research links on some of these issues if you want to take a look:

Google research on iframe vulnerabilities - includes their research paper:
http://googleonlinesecurity.blogspot.com/2...oint-to-us.html

Drive-by downloads article:
http://www.theregister.co.uk/2008/01/23/bo..._botnet_menace/

Many of us here have developed applications on the platform just as you are, so most likely we have hit some of the same problems and may be able to help out with what we've learned. We are working on providing sample code and examples to major reported issues so those may be a good resource in the YAP documentation as well.

Jonathan LeBlanc
Senior Software Engineer
Yahoo! Developer Network