We're moving!

Thursday, April 15, 2010 at 9:41 PM



Effective today, we’re moving this blog to the Google Code blog, which many of you may already be familiar with as the home to announcements and updates from several other Google APIs. The code blog enjoys a much wider audience and we believe this transition will help us reach out to a much larger number of developers, which will further help grow the community around orkut. This blog will still be available for reference to our older posts but all the new ones will go to the new blog.

Remember to update your bookmarks to googlecode.blogspot.com for all major updates to the orkut development platform, and follow us on Twitter and the orkut Developer Forum for all other community news, events and announcements.

See you there!

Caja Available on orkut

Tuesday, March 9, 2010 at 1:18 AM



We are excited to announce the availability of Caja (pronounced KA-hah) for orkut applications. Caja makes your gadget more secure by analyzing and rewriting it such that any exploits or vulnerabilities in your application are much less dangerous for your users. In addition, it also rewrites your gadget so it works across different browsers. For example, under Caja, it doesn't matter whether you use addEventListener or attachEvent — both just work!

Caja works with your existing HTML, CSS and JavaScript — there are no new tools or programming languages or APIs for you to learn. Instead, your gadget can use any object references and orkut APIs. In order to detect vulnerabilities, Caja restricts the JavaScript accepted in a gadget to an analyzable subset. The only constructs left out of this subset, like with and eval, also violate JavaScript best practices. In addition, Caja provides warnings on other aspects of the code such as missing semicolons, HTML attributes that aren't recognized by browsers, and statements that have no side-effect.

To enable Caja for your application, add the following feature entry to your app XML in ModulePrefs:

<Require feature="caja"/>

For example, here is a very simple gadget which makes some text bold and displays it:

<Module>
<ModulePrefs title="Example Gadget">
<Require feature="caja" />
</ModulePrefs>
<Content type="html"><![CDATA[
<script>
function inBold() {
var result = document.createElement('div');
result.innerHTML = "<b>" + document.getElementById("plainText").value + "</b>";
document.getElementById("boldText").appendChild(result);
}
</script>
<input id="plainText" type="text" size="50" value="hello world" />
<input type="button" value="Bold!" onclick="inBold();" />
<div id="boldText"></div>
]]></Content>
</Module>

Can you see the problem? Unfortunately, this gadget contains a very common XSS vulnerability. If a user enters text into the input box which contains a <script> block, either deliberately or as a result of being tricked by an attacker, the script can take control of your gadget — for example, by redirecting them to a malware site. In this example, the gadget would be vulnerable because the gadget author assigns an unsanitized string to innerHTML and thus possibly executes some scripts embedded in the string. However, because the gadget uses Caja, such errors in quoting and sanitization don't escalate into arbitrary script executions and your users will not be exploited.

Caja also supports Flash through a Flash bridge. Read more about the FlashBridge or try out the sample app.

We will be introducing a badge for gadgets that use Caja, so users can more easily find them. Caja gadgets will get a boost in the app-directory rankings. So get coding and building interesting apps!

Caja in orkut is a work in progress and we will continue to incorporate your feedback to improve it. Read the Caja getting-started guide or visit the Caja homepage for more information.

Sharing on orkut just got easier!

Monday, November 23, 2009 at 12:15 AM


As part of our continous efforts towards giving orkut users more ways to share interesting content with their friends, we are happy to announce the launch of the orkut Share API. The API allows website owners to enable their visitors to share the content on their website, with visitors' friends on orkut.























Users can share the content and optionally promote it to make recommendations to their friends, which then appears in their activity updates. Every such shared item has the potential to spread virally and get wider attention from orkut users, increasing the traffic to the website.

Web publishers can post orkut share buttons like the one above on their page using a simple JavaScript library. We also support the JavaScript and HTTP APIs for a more direct interaction of sharing-related UI actions with the server. These options combine to give web publishers, flexibility in the way sharing features are implemented. The user experience remains consistent and secure in each case.

Some of our early access developers like addthis.com, have already started supporting orkut in their list of services. If your website has implemented sharing functionality using the 'addthis' button, you can simply configure orkut in the destination network list.

Details of orkut share API and sample code can be found here.

So spread the word, have fun sharing!

The new orkut - more for apps!

Monday, November 2, 2009 at 10:58 PM



We just launched a faster, richer and more intuitive experience on the new orkut. You need an invite to see the new orkut - we will send out invites to developers this week.

OpenSocial applications take center stage as part of this redesign. You can now customize your 'About me' section with OpenSocial apps and even make your favorite app the default view for 'About me'. When your friends visit your profile, your app will showcase your personality (whether your daredevil race car avatar or your smiley face today). Apps on profile view also move above the fold and have a larger area for display.

Few tips to leverage the redesign -

1. Currently we support a small profile view size of 540 x 280. With the redesign you have a wider profile view size of 660 x 225. As we roll out the new orkut, both these views will be supported. To take advantage of this, you can add another profile view using the view name profile660.

</ModulePrefs>
<Content type="html" view="profile660">
<![CDATA[
<h1>Profile view for the new orkut!</h1>
]]>
</Content>

For users with the new orkut, the new profile view will be used, while old users continue to see the old view. Currently the new orkut supports both views, but as the redesign rolls out fully, the new view (profile660) will be standard and the old view (profile) will be phased out.

2. Build a profile view that allows users to showcase their personality. If your app is a game, let the users showcase their high scores in profile view. If your app promotes self expression, then let users pick the expression they want to showcase on profile view.

The new orkut is a work in progress - we will continue to act on user feedback to improve it even more. OpenSocial apps are a key part of our strategy and you will see this reflecting in many parts of the new orkut going forward.

Announcing chat gadgets in the orkut sandbox

Wednesday, October 21, 2009 at 1:08 PM

Posted by Moishe Lettvin, Software Engineer

Today we're enabling "Chat Gadgets" in the orkut sandbox. This feature allows you to share gadgets with your friends and interact in real time in the gadget itself. The gadget will appear in a window in the lower-right corner of the screen, like a chat window. Gadgets in this container support the gadgets.sharedstate API which allows developers to share transmit data between gadgets running on different machines with low latency and with no server support necessary by the gadget author. We think this is a great place to use simple, transient gadgets -- the most obvious is casual two-player games but there are lots of other possibilities; for instance, one of the samples is a translation gadget.



To use this feature, both accounts must be on the orkut sandbox. Under the "Video & More" menu in a chat window, select "Start Application" and you'll get a text box where you can type in the URL of a gadget to send, as well as a list of gadgets you've recently sent or received. When you select a gadget to send, your friend will see a verification message, and when they accept, you'll both see the gadgets in new popup windows in the lower-right of your screen.

We plan to open this feature up to users on production orkut early in 2010 but wanted to give our developers a sneak peek and a chance to start writing gadgets now.

See here for documentation and examples about the gadgets.sharedstate feature.

We will strictly enforce the use of Caja for the production release of this feature. We don't enforce Caja for Chat Gadgets running in the orkut sandbox, but we recommend you add the line to your gadget ModulePrefs to ensure that your gadget works with Caja.

If you have questions or comments about the API or plans for this feature please ask them on the orkut developer forum.

Update (04/12/2010): Our team decided to stop working on the gadgets.sharedstate API. The sandbox and the test harness will be shut down soon. Thanks for giving it a try.

App URL migration tool available

Tuesday, June 23, 2009 at 8:11 PM



We're glad to announce the availability of the app URL migration tool. There are instances when you need to change the URL for your app XML file - this tool will help you do this without affecting existing users of your app.

In order to use the tool, here are some requirements -
1. You must have claimed ownership of the existing app.
To claim ownership of an app, visit http://www.google.com/gadgets/directory/verify
2. You be logged in with the account with which you claimed ownership.
3. The existing app must be a featured app on Orkut.
4. The new application URL must NOT have been used as an app on ANY google container -- including orkut, iGoogle, etc.
Note: This is very important, otherwise the migrate request will fail. It is recommended that you create an absolutely new and unique URL when migrating. Unfortunately, this also means that you cannot test the new app URL on sandbox before issuing a migrate request.

Steps to use the tool -
1. Visit http://sandbox.orkut.com/AppUrlMigrate.aspx
2. Type in your existing app url and the new URL to migrate to.
3. Check the exisiting and new app URLs. (see attached screen shot)
4. Double check - (you really don't want a typo in the new URL).
5. Hit the submit button.
6. A migration confirmation message will appear.
7. The migration changes will propagate through caches and will be live in 24 hours.
Caution: If you use the same existing app URL on any other google property, this migration request will have an effect on the other property.

Announcing view parameters from OS templates

Monday, May 25, 2009 at 12:44 AM



We're glad to announce support for view parameters in osx:NavigateToApp. Using view parameters you can customize your canvas page view based on what the user clicked on the profile view.

Here's how you can use view parameters from OS templates in profile view.
<osx:NavigateToApp params="{a:b}">Goto Canvas</osx:NavigateToApp>

You can get the view params in canvas page as before.
var prefs = gadgets.views.getParams();
if (prefs['a'] = 'b') {....

This is currently available on sandbox.orkut.com and will be available on orkut.com in a few weeks. Since this is an important feature, we are extending the deadline for existing apps on profile view to make the switch to templates to 15th June, 2009. After that date, all apps not using templates will be removed from profile view.