[OpenID] Fwd: [OpenID Foundation] New Poll Opened
Allen Tom
atom at yahoo-inc.com
Mon Mar 23 00:03:20 UTC 2009
The major criticism of earlier versions of Facebook Connect was that it
used an inline iframe for the user to enter their email/password if they
were not already signed into FB. While the inline iframe was certainly
less disruptive than the redirect that it replaced, users could not tell
where the password was being submitted. In addition to being vulnerable
to spoofing, the iframe was also vulnerable to clickjacking. The current
implementation of Connect uses a small popup, with the address bar
displayed, which for all intents and purposes is equivalent to the
redirect from a security perspective, but is much less disruptive than
the redirect.
Allen
Eddy Nigg (StartCom Ltd.) wrote:
> On 03/21/2009 04:13 AM, Breno de Medeiros:
>> It is interesting how a discussion on a relatively simple extension
>> proposal which was motivated by:
>>
>> 1. Users saying in usability study after usability study that they
>> are more comfortable with the Facebook-Connect style login flow than
>> the full browser redirect model.
>
> And wasn't Facebook criticized for it? Didn't many see a problem with
> their approach? I don't think there is anything new with what was
> said. Popup windows are generally on the decline when compared to 5 or
> 10 years ago, why start to use them now?
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20090322/cbb5e1d8/attachment-0002.htm>
More information about the general
mailing list