Discovery of an OpenID session at an OP

Breno de Medeiros breno at google.com
Tue Dec 15 18:11:04 UTC 2009


On Tue, Dec 15, 2009 at 9:58 AM, Chris Obdam <chris.obdam at holder.nl> wrote:
>> It's a good opportunity to look at what attack vectors this
>> has enabled in the real world before throwing the usability baby out
>> with the security bathwater.
> And for not throwing the usabilty baby out I gave a +1 to John ;-)
>

I am also in favor of saving the baby.

I don't buy the CSS history stealing argument, that's all. CSS history
stealing is essentially a cross-domain cookie API without user opt-out
option.  So I wonder how long before browsers turn off this 'feature'.


More information about the specs mailing list