[OpenID] A selector for OpenID
Thomas Roessler
tlr at w3.org
Sun Apr 20 17:00:44 UTC 2008
On 2008-04-20 06:32:43 -0700, larry drebes wrote:
> The javascript attaches to an existing OpenID login form. In the
> (rare) case the javascript could not load from the (high
> available) idselector server, the form will continue to work,
> just with out a default value.
Unfortunately, the OpenID identity provider is another case of the
dreadful "two sites, one DOM" anti-pattern: Embedding the selector
widget means loading an arbitrary script from idselector.com,
running with an origin of the relying party service; in lots of use
cases, it means that the relying party web application will end up
being under the control of janrain.com - or, more precisely,
whatever party will control the idselector.com domain name or the
web server that's operting that site.
The flaw here isn't just about the possibility for idselector.com to
gather data about use of OPs in a centralized sopt: It's about
idselector.com becoming a central point of control for
OpenID-enabled web applications.
Regards,
--
Thomas Roessler, W3C <tlr at w3.org>
More information about the general
mailing list