Some implementations don't process the HEAD element correctly

John Bradley john.bradley at wingaa.com
Wed Aug 26 15:24:24 UTC 2009 

There is talk of removing HTML discovery in future.

It is a known security problem.

Yadis requires the X-XRDS meta tag to be inside the <head> element.

OpenID 2.0 is silent on it.

Getting rid of the meta http-eqiv tag from the HTML will be a  
challenge, and a point for debate.

I think the other elements will go except for backwards compatibility  
with older RPs.

John B.
On 26-Aug-09, at 10:51 AM, Andrew Arnott wrote:

> Thanks, Thomas.  I hadn't meant to drop the list with my reply.
>
> You're points are all correct too.  I guess my only argument is: a  
> fully compliant HTML parser in an OpenID RP library would be very  
> heavyweight, and anything less would mean it's buggy.  So far, the  
> community seems satisfied with "mostly there" implementations.  I  
> agree it's not perfect, but in the next major OpenID spec, HTML  
> discovery is likely to be removed anyway, so I don't think any  
> implementers have motivation to fix these bugs that can easily be  
> worked around.
>
> BTW, missing HEAD tags is just one bug, and it seems  
> disproportionate to stress this one over all the others.  Some of  
> which are perhaps more serious.  I imagine many RPs don't ignore  
> LINK tags that appear within HTML <!-- comments -->.  And to  
> properly respect comments requires Javascript parsing (I think!) in  
> order to avoid ending the comment when a javascript function  
> contains a string with "-->" in it.
>
> Just some more thoughts.  As an RP implementer myself, I do fix some  
> HTML discovery bugs that come in, but not all of them for the  
> reasons given above.
> --
> Andrew Arnott
> "I [may] not agree with what you have to say, but I'll defend to the  
> death your right to say it." - S. G. Tallentyre
>
>
> On Wed, Aug 26, 2009 at 7:39 AM, Thomas Hühn <huehn at arcor.de> wrote:
> [you mailed off-list, was that intentional?]
>
> Andrew Arnott schrieb:
>
>
> > The difference is "<LINK>" might appear somewhere in the <BODY> of  
> the > page
>
> Not in a valid HTML document. :-)
>
> Of course you have to think about invalid ones as well, because  
> browsers accept them.
>
> But that doesn't have anything to do with whether there is a <HEAD>  
> tag.
>
> The security implications are totally independent from having or  
> omitting HEAD tags.
>
> Look, it's perfectly clear at any point in the HTML text whether  
> this point belongs to HEAD or to BODY. The HEAD tags are irrelevant.
>
> Google even recommends omitting them: http://code.google.com/speed/articles/optimizing-html.html
>
>
> I agree with Shade.  It's sub-optimal security for OpenID RPs to try  
> grokking HTML in the first place.  I'm sure if you tried everything
>
> Of course parsing HTML is hell, but you have specified it.
>
>
> "legal", you'd likely find dozens of ways that RPs are imperfect.   
> But since delegation is a relatively rare scenario anyway (hundreds  
> of millions of OpenIDs out there today, only a few actually delegate  
> since it's an advanced user scenario) I think it's very reasonable  
> to put a few restrictions on it so that RPs can be more secure and  
> written more easily.
>
> That doesn't change anything.
>
> Everything you're saying is absolutely right. But it doesn't have  
> anything to do with whether the HEAD element is surrounded by HEAD  
> tags.
>
> My example is *valid*, by the OpenID specification. I have placed  
> LINK elements inside the HEAD element. That's what the OpenID spec  
> demands.
>
> The implementation is *buggy*. Yes, that's a fringe case. I can't  
> really blame the author for not thinking about this.
>
> And the spec is fine by itself but could be improved for the benefit  
> of developers and users.
>
> So there are several ways to handle it:
>
> 1. The status quo -- don't do anything: perfectly okay, but probably  
> many more implementations will be buggy, without the developers even  
> knowing about the pitfall.
>
> 2. making clear in the spec that the HEAD element does not  
> necessarily correspond to HEAD tags and that a simple grep is *wrong*.
>
> 3. re-wording the spec so that it is clear that only a subset of  
> HTML is supported, requiring the HEAD tag(s).
>
> I'd prefer 2., just adding a non-normative note to the spec.
>
> Thomas
>
> _______________________________________________
> specs mailing list
> specs at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs/attachments/20090826/f2266396/attachment-0001.htm>

More information about the specs mailing list