[OpenID] Automating the user's selection of OP
sysadmin at shadowsinthegarden.com
Mon Apr 20 20:10:12 UTC 2009
>User agents don't let you make cross-site HTTP calls however, which
>may block the implementation of your idea.
They don't? I thought that was why XSS attacks (literally,
"cross-site scripting") were so dangerous; but then, since you don't
need scripts enabled (just images would do) for that, I may be
conflating two meanings of "scripting". Depending on what content at
OP's is restricted, and *how* it gets restricted, a script may not
need to examine HTTP Response headers - if it could just look at
whether a requested image was returned at all, or the size of that
Or, if OP's were to set up a special URL for allied RP's to test
whether users were logged in - but no matter what can be achieved
through cooperation that way, which OP's would *want* to mitigate
OpenID's privacy by letting arbitrary sites (whoever sent the users
similar scripts) check which supporting OP's the user was currently
logged into (if not what their account name was), and easily transmit
that data back to the RP?
>Don't let me stop you from trying, but I just will be surprised if
>it will work.
I'm queasy about the idea now. Much like using XSS "for a good
cause", I don't want to encourage users to rely on insecurity for
their conveniences. It was just a thought; let's work on selectors a
bit longer, make sure we do it right.
>Didn't you mention (or discuss on a thread) sometime back the idea
>they were "visited" links or not in order to see which OPs the user
>has been to and thereby guess which OPs are most effective to
>display to the user?
I don't think so, though this does seem to be another instance of
"attack" techniques (I do recall reading about it; there's a Firefox
addon addressing the risk) being used for "good".
We've all had a lot of ideas, but they tend to get lost among the
older threads. I'm of a mind to embark on a project to index all
these ideas so we can easily find them later on, when we need them or
are just interested.
More information about the general