Discovery of an OpenID session at an OP
Breno de Medeiros
breno at google.com
Tue Dec 15 18:11:04 UTC 2009
On Tue, Dec 15, 2009 at 9:58 AM, Chris Obdam <chris.obdam at holder.nl> wrote:
>> It's a good opportunity to look at what attack vectors this
>> has enabled in the real world before throwing the usability baby out
>> with the security bathwater.
> And for not throwing the usabilty baby out I gave a +1 to John ;-)
>
I am also in favor of saving the baby.
I don't buy the CSS history stealing argument, that's all. CSS history
stealing is essentially a cross-domain cookie API without user opt-out
option. So I wonder how long before browsers turn off this 'feature'.
More information about the specs
mailing list