[OpenID] Outsourcing headers - XRD(S), CSS?

Allen Tom atom at yahoo-inc.com
Mon Aug 10 17:12:09 UTC 2009 

Shade - are you asking about HTML based discovery?

HTML based discovery definitely is great for usability, since the only 
requirement is that the user is able to edit the html on the OpenID 
page, rather than having to configure their webserver to return the 
special  X-XRDS-Location HTTP header. In a webhosting environment, the 
user might not have the ability or even the knowledge to configure their 
webserver.

Unfortunately, from a security perspective, HTML based discovery has a 
lot of problems. If the content of the page is dynamically generated 
from untrusted inputs (for instance, the OpenID URL is a profile page 
with a Guestbook), an attacker might be able to insert OpenID discovery 
information into the page. Another problem is that the entire page needs 
to be downloaded in order to parse it, which is problematic since many 
pages are very heavyweight.

Allen

Nat Sakimura wrote:
> That's actually host meta, I suppose.
>
> =nat
>
> On Mon, Aug 10, 2009 at 7:54 AM, SitG Admin 
> <sysadmin at shadowsinthegarden.com 
> <mailto:sysadmin at shadowsinthegarden.com>> wrote:
>
>     Not all sites allow users to fully customize their headers on the
>     Profile page, but some do allow the user to specify other external
>     files (such as CSS), containing expected data. This would be an
>     awkward compatibility hack (and I'm not sure how many sites it
>     would even help with), but what do you all think of an extension
>     to the Discovery process allowing RP's to check other external
>     files for comments containing OpenID declarations?
>
>     -Shade
>     _______________________________________________
>     general mailing list
>     general at lists.openid.net <mailto:general at lists.openid.net>
>     http://lists.openid.net/mailman/listinfo/openid-general
>
>
>
>
> -- 
> Nat Sakimura (=nat)
> http://www.sakimura.org/en/
> ------------------------------------------------------------------------
>
> _______________________________________________
> general mailing list
> general at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-general
>   

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20090810/5b60a04c/attachment.htm>

More information about the general mailing list