[OpenID] Outsourcing headers - XRD(S), CSS?
SitG Admin
sysadmin at shadowsinthegarden.com
Mon Aug 10 18:53:16 UTC 2009
>Shade - are you asking about HTML based discovery?
Yes, that's how I'd always read OpenID to work - this is the first
I've heard of an "X-XRDS-Location" response header.
>Unfortunately, from a security perspective, HTML based discovery has
>a lot of problems. If the content of the page is dynamically
>generated from untrusted inputs (for instance, the OpenID URL is a
>profile page with a Guestbook), an attacker might be able to insert
>OpenID discovery information into the page. Another problem is that
>the entire page needs to be downloaded in order to parse it, which
>is problematic since many pages are very heavyweight.
Thus the placement of OpenID headers in "HEAD", so (supporting)
servers can be asked to provide just that much of the page; still,
isn't an external CSS file declared in that area? (Not that it would
matter if the server was dynamically generating the page by
requesting this internal CSS file itself - and probably saving on
bandwidth by omitting comments, as well.)
Going for "first match found, stop parsing there" MIGHT help, but
assumes that a match WILL be present - and enables impersonation of
anyone who *didn't* know about OpenID (enough to prevent it), while
imposing a burden on users who just weren't interested but would feel
annoyed that they had to configure a file to stop it . . . yes, I can
see why there are concerns about HTML-based discovery.
-Shade
More information about the general
mailing list