[OpenID] Yahoo hijacking?
Eddy Nigg (StartCom Ltd.)
eddy_nigg at startcom.org
Sat Apr 19 02:00:46 UTC 2008
Allen Tom:
> 1) The user does NOT want to sign into the site specified by the return_to
> 2) We don't know that the authentication request originated from that site
> 3) The OpenID 2.0 spec does not require OPs to send a negative assertion.
>
> So why would we want to send the user there?
This sounds somewhat lame. And what if the user didn't intended to login
with Yahoo but with something else and hit that button by mistake
instead of a different one? And for what is the return_url if not to
send the user back to whatever the return_url is set, including failure
state? I'd expect (as an RP) to receive a reply and inform the user of
the failure, that's all...
--
Regards
Signer: Eddy Nigg, StartCom Ltd. <http://www.startcom.org>
Jabber: startcom at startcom.org <xmpp:startcom at startcom.org>
Blog: Join the Revolution! <http://blog.startcom.org>
Phone: +1.213.341.0390
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20080419/911e1600/attachment-0002.htm>
More information about the general
mailing list