Problem with nonces and HTTP GET
Allen Tom
atom at yahoo-inc.com
Fri Jan 29 01:55:36 UTC 2010
Hi Andrew -
POST responses require the OP to return HTTP 200 with a self-submitting form
in the body. This causes the browser to display a blank white page as an
interstitial before the RP¹s return_to URL is loaded. Given that the RP¹s
return_to page will probably take a couple seconds to load (network latency,
verifying the assertion, doing db lookups, etc) the blank white page really
looks clunky.
There are a couple hacks that can be done to make the POST form look more
attractive, but that involves returning even more data in the response body.
In contrast, the 302 Redirect/GET response does not display any blank
interstitials between the time the response is sent to the browser and the
the RP responds.
There¹s plenty of UX research that shows the effect of perceived latency
where even a fraction of a second increase in latency results in a
measurable decrease in user satisfaction. To encourage adoption, it¹s very
important that we match or exceed the UX standards that have already been
set by the proprietary solutions.
Thanks
Allen
On 1/28/10 6:02 AM, "Andrew Arnott" <andrewarnott at gmail.com> wrote:
> On Wed, Jan 27, 2010 at 11:21 PM, Allen Tom <atom at yahoo-inc.com> wrote:
>> POST adds additional latency, and can cause strange warnings and a blank
>> interstitial (the self submitting form).
>
> I agree with all your points, Allen. But can you explain why POST adds
> additional latency? It seems like just a word change over the wire. A browser
> and server shouldn't (it seems to me) take any longer to process it, except
> that it disables caching to some extent, but in this case that's desired.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs/attachments/20100128/540eff4f/attachment.htm>
More information about the specs
mailing list