Spyware 2.0

·
Update: I tested this a few minutes ago and it worked, but adding gadgets seems to have been disabled since then. The start.com page appears to be constantly changing at the moment.

Microsoft's start.com lets RSS feeds include links to gadgets that determine how they're displayed. This is done by:

  1. Adding a binding:manifest link from the channel section of the feed to a remote XML file.
  2. That XML file linked to is also an RSS feed (but not a valid one), and the items within it define the files to pull in (javascript and CSS files). Those files make up the gadget, and are applied to the original RSS feed.
  3. Now, the javascript that was pulled into the gadget has access to the whole of the start.com page, including the contents of all the other gadgets (I presume). Hooray!
  4. Here, use the 'add feeds and gadgets' link on the left-hand side of start.com to install this gadget: http://alf.hubmed.org/banana.xml. It'll display a dancing banana and send me the cookies you have stored for start.com. Don't worry, no-one will really try and do anything like this (they definitely won't try and get you to install gadgets that read your email once you have a Gmail/Hotmail gadget installed).

Thankfully, gadgets work in Firefox as well. Microsoft have produced a javascript library attached to start.com that lets you write gadgets using Internet Explorer's version of javascript, so now you only have to remember two ways of writing the same language. Joy!