[OpenID] Outsourcing headers - XRD(S), CSS?
Allen Tom
atom at yahoo-inc.com
Mon Aug 10 17:12:09 UTC 2009
Shade - are you asking about HTML based discovery?
HTML based discovery definitely is great for usability, since the only
requirement is that the user is able to edit the html on the OpenID
page, rather than having to configure their webserver to return the
special X-XRDS-Location HTTP header. In a webhosting environment, the
user might not have the ability or even the knowledge to configure their
webserver.
Unfortunately, from a security perspective, HTML based discovery has a
lot of problems. If the content of the page is dynamically generated
from untrusted inputs (for instance, the OpenID URL is a profile page
with a Guestbook), an attacker might be able to insert OpenID discovery
information into the page. Another problem is that the entire page needs
to be downloaded in order to parse it, which is problematic since many
pages are very heavyweight.
Allen
Nat Sakimura wrote:
> That's actually host meta, I suppose.
>
> =nat
>
> On Mon, Aug 10, 2009 at 7:54 AM, SitG Admin
> <sysadmin at shadowsinthegarden.com
> <mailto:sysadmin at shadowsinthegarden.com>> wrote:
>
> Not all sites allow users to fully customize their headers on the
> Profile page, but some do allow the user to specify other external
> files (such as CSS), containing expected data. This would be an
> awkward compatibility hack (and I'm not sure how many sites it
> would even help with), but what do you all think of an extension
> to the Discovery process allowing RP's to check other external
> files for comments containing OpenID declarations?
>
> -Shade
> _______________________________________________
> general mailing list
> general at lists.openid.net <mailto:general at lists.openid.net>
> http://lists.openid.net/mailman/listinfo/openid-general
>
>
>
>
> --
> Nat Sakimura (=nat)
> http://www.sakimura.org/en/
> ------------------------------------------------------------------------
>
> _______________________________________________
> general mailing list
> general at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-general
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20090810/5b60a04c/attachment.htm>
More information about the general
mailing list