[OpenID] Yahoo hijacking?

[SitG Admin]

>I think it'd be good if the spec allowed the RP to ask the IdP to
>send users back to a specific URL if the user declined to authenticate.
>I also think it'd be fine for IdP's to not send the user back to that
>"Decline URL" -- the user should be able to use their Back Arrow to
>return to the RP site.
>
>Shade -- how could a URL be both "appropriate" and CSRF?

Normally the OP would give the user a new Location header, right? So 
off the user would go, re-visiting the RP's site. But on a lower 
level, this occurs because the user's browser is sending a GET string 
to the RP, and that same GET string can be sent via CSRF - so the OP 
could make the user send that GET string without ever actually 
visiting the RP again, or leaving the OP's site either. It (the URL) 
would only be "appropriate" in the sense of being properly formatted 
to tell the RP that the login had been cancelled, but at that point 
would it meet the spec - and, in light of the ideas you suggested 
above, should it?

-Shade