Simon Willison’s Weblog

Figuring out OpenSocial

So it’s out, and lots of people are talking about it, but I’m still trying to work out exactly what it is. There seem to be two parts to it: a standardised set of GData APIs for accessing lists of friends and their activities (like the Facebook news feed) and a bunch of JavaScript APIs for enabling developers to write hostable widgets and “container sites” to embed those widgets.

Unfortunately the official documentation confuses things horribly by referring to Google Gadgets in various places. From that my guess is that the embedding part consists of externally hosted code running in an iframe, along with the clever fragment hack to mediate controlled communication between the container site and the embedded widget (and bypass the same-domain restriction). Not sure how that would defend against a malicious widget that uses frame-busting to send the user to a completely new page though—Facebook rewrite and sanitise all of the CSS and JavaScript that they serve, but I seriously doubt Google’s open source container API pack will include that level of sophistication.

My other question at the moment is how much OpenSocial relates to the larger goal of an open social network, where import and export APIs allow people to easily move from network to network and still find their friends. I don’t see anything in the GData People API that explicitly addresses the need to correlate the same user’s account across multiple sites (it looks like it doesn’t include an e-mail address for example) which seems to me to be pretty essential.

Am I getting this right, or have I missed something important? I’d love to hear from people who have been properly briefed on all of this.