Yahoo available AX attrs - backchannel/endpoint URLs

John Panzer jpanzer at google.com
Fri Dec 11 05:44:28 UTC 2009 

I believe that Blogger, as an RP, would want/need to retrieve and cache any
avatar image data.  The reasons are quadrifold, at least:

1. This lets the RP push the bits through a munger to prevent well known
IE-specific cross site scripting attacks;
2. This lets the RP do downsampling/sanity filtering so as to avoid
craziness like someone supplying a 1600x3200 pixel image for their thumbnail
picture, thus dragging overall page loading time into the mud;
3. In our case, we have a very good edge caching system but we have no
guarantee that the OP does or wants to be hit with a firehose on a popular
page;
4. In our case, our avatar images are actually stored as they were at the
time of the associated blog post / comment.  Thus if you turn your image
green to support a certain political movement, and post with that green
image, it will remain green even years later in our archives even if the
most current avatar is no longer green.  There's no reliable way to do this
without caching the bits.

(I should also note that I'm no longer working full time on Blogger, but am
working full time on Salmon - http://salmon-protocol.org - and related
projects; this is just MHO based on past experience, not a statement on
behalf of Blogger.)

--
John Panzer / Google
jpanzer at google.com / abstractioneer.org / @jpanzer



On Thu, Dec 10, 2009 at 9:14 PM, SitG Admin <sysadmin at shadowsinthegarden.com
> wrote:

>  I think I messed the double negative above: I meant everything except
>> explicit APIs with support SLAs are liable to change.
>>
>
> As a cheaper (but less geek-friendly) solution, couldn't Relying Parties
> have JS to read the "image" data *and* (before loading/running it)
> instructing the user's browser to hash it, seeing if it matched the "clean"
> value a RP had generated/stored/displayed for it after confirming that it
> was safe? If not, the browser could be instructed to (alternatively) display
> a generic "this user has a new icon that has not yet been checked" profile
> image instead.
>
> -Shade
>
> _______________________________________________
> specs mailing list
> specs at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs/attachments/20091210/6375416d/attachment.htm>

More information about the specs mailing list