<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
Hi,<br>
<br>
why do you consider this a risk? <br>
<br>
kind regards,<br>
Torsten.<br>
<br>
<div class="moz-cite-prefix">Am 14.02.2015 um 10:05 schrieb Thomas
Broyer:<br>
</div>
<blockquote
cite="mid:CAEayHEOnsY+46gFSce64JXKsfE=DNC6cWgURKktibeRenzSgZg@mail.gmail.com"
type="cite">
<p dir="ltr">Hi,</p>
<p dir="ltr">Isn't there a risk of an attacker logging a user out
of a third-party (victim) site just by loading that logout_url?
At a minimum the RP should check the request's origin or
referrer but AFAIK this wouldn't be reliable with such
cross-origin requests (at least for older browsers not sending
an Origin header), but maybe the OP could compute some value
based on a shared secret, or use a signed JWT, and pass it as a
query string parameter to "authenticate" the request?<br>
</p>
<p dir="ltr">Le sam. 14 févr. 2015 07:12, Mike Jones <<a
moz-do-not-send="true"
href="mailto:Michael.Jones@microsoft.com">Michael.Jones@microsoft.com</a>>
a écrit :</p>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Openid-specs-ab mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Openid-specs-ab@lists.openid.net">Openid-specs-ab@lists.openid.net</a>
<a class="moz-txt-link-freetext" href="http://lists.openid.net/mailman/listinfo/openid-specs-ab">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a>
</pre>
</blockquote>
<br>
</body>
</html>