<div class="gmail_quote">On Mon, Apr 20, 2009 at 1:10 PM, SitG Admin <span dir="ltr"><<a href="mailto:sysadmin@shadowsinthegarden.com">sysadmin@shadowsinthegarden.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<div class="im"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
User agents don't let you make cross-site HTTP calls however, which may block the implementation of your idea.<br>
</blockquote>
<br></div>
They don't? I thought that was why XSS attacks (literally, "cross-site scripting") were so dangerous; but then, since you don't need scripts enabled (just images would do) for that, I may be conflating two meanings of "scripting". Depending on what content at OP's is restricted, and *how* it gets restricted, a script may not need to examine HTTP Response headers - if it could just look at whether a requested image was returned at all, or the size of that image?<br>
<br>
Or, if OP's were to set up a special URL for allied RP's to test whether users were logged in - but no matter what can be achieved through cooperation that way, which OP's would *want* to mitigate OpenID's privacy by letting arbitrary sites (whoever sent the users similar scripts) check which supporting OP's the user was currently logged into (if not what their account name was), and easily transmit that data back to the RP?</blockquote>
<div><br></div><div>This is how Facebook Connect works. XSS can be very useful; in and of themselves, they're not intrinsically evil, but abusing this feature of browsers/servers leads to bad things.</div><div><br></div>
<div>The problem with your proposal is that the RP would need to have a unique cross-domain script that talks to N number of OPs, which is tractable but not terribly efficient. It also adds an extra burden on the OPs and can additionally lead to an inconsistent or "squishy" user experience — where, depending on local system settings (and whether the user is on their personal computer or on a shared terminal, like in an Apple store), the positive hints you receive about logged in OPs may be misleading or downright wrong.</div>
<div><br></div><div>This is why the CSS history detection trick [1][2][3] is so brittle — it depends a current browser behavior that can change in its effectiveness depending on how often a user clears their history, uses non-personal computers or works across several different devices.</div>
<div> </div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;"><div class="im">
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Didn't you mention (or discuss on a thread) sometime back the idea of emitting links to OPs using javascript, then sniffing whether they were "visited" links or not in order to see which OPs the user has been to and thereby guess which OPs are most effective to display to the user?<br>
</blockquote>
<br></div>
I don't think so, though this does seem to be another instance of "attack" techniques (I do recall reading about it; there's a Firefox addon addressing the risk) being used for "good".<br></blockquote>
<div><br></div><div>Luke Shepard wrote about this idea recently:</div><div><br></div><div><a href="http://www.sociallipstick.com/2009/04/15/lets-detect-logged-in-state/">http://www.sociallipstick.com/2009/04/15/lets-detect-logged-in-state/</a></div>
<div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<br>
We've all had a lot of ideas, but they tend to get lost among the older threads. I'm of a mind to embark on a project to index all these ideas so we can easily find them later on, when we need them or are just interested.</blockquote>
<div><br></div><div>I'd be thrilled if you'd take this on using OpenID wiki! <a href="http://wiki.openid.net">http://wiki.openid.net</a>!</div><div><br></div><div>Alternatively, you could submit them to <a href="http://ideas.openid.net">ideas.openid.net</a>.</div>
<div><br></div><div>Thanks,</div><div><br></div><div>Chris</div><div><br></div><div>[1] <a href="http://www.azarask.in/blog/post/socialhistoryjs/">http://www.azarask.in/blog/post/socialhistoryjs/</a></div><div>[2] <a href="http://www.niallkennedy.com/blog/2008/02/browser-history-sniff.html">http://www.niallkennedy.com/blog/2008/02/browser-history-sniff.html</a> </div>
<div>[3] <a href="http://www.niallkennedy.com/blog/2006/03/automatic-favor.html">http://www.niallkennedy.com/blog/2006/03/automatic-favor.html</a></div><div><br></div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<div><div></div><div class="h5"><br>
<br>
-Shade<br>
_______________________________________________<br>
general mailing list<br>
<a href="mailto:general@openid.net" target="_blank">general@openid.net</a><br>
<a href="http://openid.net/mailman/listinfo/general" target="_blank">http://openid.net/mailman/listinfo/general</a><br>
</div></div></blockquote></div><br><br clear="all"><br>-- <br>Chris Messina<br>Citizen-Participant &<br> Open Web Advocate<br><br><a href="http://factoryjoe.com">factoryjoe.com</a> // <a href="http://diso-project.org">diso-project.org</a> // <a href="http://vidoop.com">vidoop.com</a><br>
This email is: [ ] bloggable [X] ask first [ ] private<br>